Proxies and Strict-Transport-Security header
Closed this issue · 2 comments
Hi folks,
Government domains are now mandated to use the Strict-Transport-Security header to force the use of HTTPS. As far as irreversibility goes this is a tad serious as willy-nilly adding this header to your services under your domain with a long max-age (as most default values are) will hinder use of HTTP from that client - often for several years.
Now perhaps we are at the point that HTTP is truly deceased and buried - for government domains I think that is true. I dunno for the rest of you.
So for these proxies I am pondering that perhaps they shouldn't suppress the Strict-Transport-Security from the proxied site. E.g. I decide to proxy a US Federal government website via a testing domain having no SSL and the proxied header taints the entire testing domain with the HSTS directive to always redirect to HTTPS. An individual browser cache of HSTS can be deleted or edited but that could be an issue with a large number of testers or clients.
Cheers,
Paul
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
This issue has been automatically closed due to inactivity.