Advance DrHeader to evalute HSTS max-age

Question

Advance DrHeader to evalute HSTS max-age

Opened this issue 2 years ago · 2 comments

drHEADer version: 1.7.0

DrHEADer supports to evaluate HSTS (Strict-Transport-Security). For this header, the value "max-age" is needed. As soon as the max-age is not exactly equal to the value from the yaml file, DrHEADer triggers a finding.

Please implement an evaluation, if the set of the evaluated target for max-age is higher or equal to the set value of the DrHEADer yaml file. This would reduce the number of findings of DrHEADer and makes the evaluation of HSTS more reliable.

Answer 1 · 2023-07-31T14:05:16.000Z

I'm not sure I see the value in this. 1 year is a well established benchmark that's pretty ubiquitous, and it's unlikely that anyone would want to set a max-age that equates to 1 year + an arbitrary number of seconds.

I'd support increasing the expected value in the default rules to 63072000 (2 years), which is the recommendation from Google when using the preload list https://hstspreload.org/#deployment-recommendations

Answer 2 · 2023-11-14T09:38:57.000Z

I changed the PR in a way to be able to use greaterequal-age