Clarify HSTS docs
bengerman13 opened this issue · 0 comments
bengerman13 commented
In order to tune HSTS per application requirements, users want better docs on HSTS tuning
Acceptance Criteria
- WHEN I read (the HSTS docs)[https://cloud.gov/docs/compliance/domain-standards/#hsts-preloading]
THEN I should see steps I need to take to override the defaults - WHEN I read (the HSTS docs)[https://cloud.gov/docs/compliance/domain-standards/#hsts-preloading]
THEN I should see a caveat that overrides don't affect the http -> https redirect since the app is not consulted before redirecting
Security considerations
This should make it easier for users to comply with security and compliance guidance
Implementation sketch
This is a follow-up on cloud-gov/secureproxy-boshrelease#61
We should check our language other places we talk about headers we set, as well.