Talk:HTTP Strict Transport Security

From Wikipedia, the free encyclopedia
Jump to: navigation, search
          This article is of interest to the following WikiProjects:
WikiProject Computing / Security (Rated C-class, High-importance)
WikiProject icon This article is within the scope of WikiProject Computing, a collaborative effort to improve the coverage of computers, computing, and information technology on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.
C-Class article C  This article has been rated as C-Class on the project's quality scale.
 High  This article has been rated as High-importance on the project's importance scale.
Taskforce icon
This article is supported by WikiProject Computer Security (marked as High-importance).
 
WikiProject Internet (Rated C-class, High-importance)
WikiProject icon This article is within the scope of WikiProject Internet, a collaborative effort to improve the coverage of the internet on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.
C-Class article C  This article has been rated as C-Class on the project's quality scale.
 High  This article has been rated as High-importance on the project's importance scale.
 
WikiProject Cryptography / Computer science  (Rated C-class, Low-importance)
WikiProject icon This article is within the scope of WikiProject Cryptography, a collaborative effort to improve the coverage of Cryptography on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.
C-Class article C  This article has been rated as C-Class on the quality scale.
 Low  This article has been rated as Low-importance on the importance scale.
Taskforce icon
This article is supported by WikiProject Computer science (marked as Low-importance).
 

What is the exact response header?[edit]

The "Overview" section thoroughly describes how a user agent should behave, but says nothing about how the server should behave. A few sentences giving, e.g., the exact header syntax, should make the section complete and not much longer. --66.30.251.99 (talk) 10:47, 29 June 2010 (UTC)

I agree. -- Kistano (talk) 23:19, 5 September 2010 (UTC)

Please, check the code[edit]

It seems like either the second -if- statement is redundant or -else if- should be replaced with simple -if- 194.105.145.69 (talk) 07:33, 17 November 2010 (UTC)

The second -if- statement is meant to redirect users not using HTTPS already, however, in many of the snippets there is no check for this. Code needs work. --praseodym (talk) 16:53, 26 February 2011 (UTC)
That better be without AND at all. Skeleton is to be nested IFs: IF [ STS-a-must] THEN [ if { SSL-is-used } then {add-STS-header} else { redirect-to-SSL } ] ELSE [ ...non-STS path... ]

However, the code is just broken[edit]

In CFML, JSP, VB.NET example - there is no support for SSL-is-used check at all ! That results in else-if branch been always dead code. It better be removed then... Or maybe help requested on artices about JSP, VB.NET, CFML. Note - in above discussion about nested IFs - this mistake been very obvious and just could not slip in ;-) 79.111.223.5 (talk) 22:50, 14 May 2011 (UTC)

in addition to above, classic ASP does not support request.url (.Net does). 173.9.157.225 (talk) 00:07, 7 September 2011 (UTC)

FWIW, it's good practice to put an "exit;" after a "header('location: ...');" in PHP - if output buffering is off and any part of the body of the request (e.g. whitespace) has accidentally been sent to the client, I think PHP just gives a warning when you try to redirect via the location header...and then keeps executing code. So your stuff would just go out over http:// in that case. — Preceding unsigned comment added by 74.79.145.8 (talk) 14:26, 10 September 2011 (UTC)

Why so many code examples?[edit]

The plethora of programming languages distracts from the content of the article IMO. Also the redirect instruction doesn't fall within the scope of HSTS IMO. Ben Atkin (talk) —Preceding undated comment added 17:38, 10 July 2011 (UTC).

I think its relevantMayhaymate (talk) 19:20, 3 May 2012 (UTC)

Applicability[edit]

I expanded the applicability section with some information about how this prevents SSL-stripping, and how it should really (or also) be in the DNS records. Please comment/edit rather than just deleting it all! 155.198.65.73 (talk) 17:36, 22 March 2011 (UTC)

Support - websites[edit]

I assume WP:CATALOG #4, #5 is about this list. We should not to list a website ONLY BECAUSE it has HSTS. We can list very famous web-services, such as Gmail, Facebook, Twitter - and the good indication of such is an long-lived article about this service: GMail, Facebook, Twitter. `a5b (talk) 18:27, 22 June 2011 (UTC)

"Of course, the HSTS header can be stripped by the attacker if this is the user's first visit."[edit]

The HSTS header can only be sent over SSL. It may be worth mentioning that the attacker could perform a stripping attack to prevent the header from being sent, but I think the sentence should be removed in its current form.--79.66.208.193 (talk) 15:23, 30 August 2011 (UTC)

Agreed. The current wording is self-contradictory. A more correct description of the attack would be to use an SSL stripping to prevent the header from being communicated to the client. Kasperd (talk) 21:23, 25 September 2011 (UTC)

Use of DNSSEC[edit]

The article mention of the possibility of using DNSSEC, but it doesn't tell how far the work is on standardizing the use of DNSSEC for this. Kasperd (talk) 21:23, 25 September 2011 (UTC)

Use of HSTS without forcing all clients to use HTTPS should be added[edit]

It is possible to deploy HSTS so that a website can be accessed with and without HTTPS if wanted and I think this should be added to the article.

I.e. That HSTS is forced only to clients already accessing the site with HTTPS without forcing clients that access the site with HTTP to use HTTPS. This isnt currently clear and the article gives the impression that using HSTS forces everyone using a website to use HTTPS. Mayhaymate (talk) 11:36, 10 June 2012 (UTC)

Browser Support and Implementation[edit]

Great article but some rather glaring omissions. The browser list doesn't mention IE and the implementation list doesn't mention IIS. There seem to be some other far less prevalent products listed. I wish I could help, but I'm sure someone out there could assist in providing this information for us Microsoft users. — Preceding unsigned comment added by 70.42.29.6 (talk) 13:07, 15 March 2013 (UTC)