Talk:HTTP Strict Transport Security

Page contents not supported in other languages.
From Wikipedia, the free encyclopedia

What is the exact response header?[edit]

The "Overview" section thoroughly describes how a user agent should behave, but says nothing about how the server should behave. A few sentences giving, e.g., the exact header syntax, should make the section complete and not much longer. -- (talk) 10:47, 29 June 2010 (UTC)Reply[reply]

I agree. -- Kistano (talk) 23:19, 5 September 2010 (UTC)Reply[reply]

Please, check the code[edit]

It seems like either the second -if- statement is redundant or -else if- should be replaced with simple -if- (talk) 07:33, 17 November 2010 (UTC)Reply[reply]

The second -if- statement is meant to redirect users not using HTTPS already, however, in many of the snippets there is no check for this. Code needs work. --praseodym (talk) 16:53, 26 February 2011 (UTC)Reply[reply]
That better be without AND at all. Skeleton is to be nested IFs: IF [ STS-a-must] THEN [ if { SSL-is-used } then {add-STS-header} else { redirect-to-SSL } ] ELSE [ ...non-STS path... ]

However, the code is just broken[edit]

In CFML, JSP, VB.NET example - there is no support for SSL-is-used check at all ! That results in else-if branch been always dead code. It better be removed then... Or maybe help requested on artices about JSP, VB.NET, CFML. Note - in above discussion about nested IFs - this mistake been very obvious and just could not slip in ;-) (talk) 22:50, 14 May 2011 (UTC)Reply[reply]

in addition to above, classic ASP does not support request.url (.Net does). (talk) 00:07, 7 September 2011 (UTC)Reply[reply]

FWIW, it's good practice to put an "exit;" after a "header('location: ...');" in PHP - if output buffering is off and any part of the body of the request (e.g. whitespace) has accidentally been sent to the client, I think PHP just gives a warning when you try to redirect via the location header...and then keeps executing code. So your stuff would just go out over http:// in that case. — Preceding unsigned comment added by (talk) 14:26, 10 September 2011 (UTC)Reply[reply]

Why so many code examples?[edit]

The plethora of programming languages distracts from the content of the article IMO. Also the redirect instruction doesn't fall within the scope of HSTS IMO. Ben Atkin (talk) —Preceding undated comment added 17:38, 10 July 2011 (UTC).Reply[reply]

I think its relevantMayhaymate (talk) 19:20, 3 May 2012 (UTC)Reply[reply]


I expanded the applicability section with some information about how this prevents SSL-stripping, and how it should really (or also) be in the DNS records. Please comment/edit rather than just deleting it all! (talk) 17:36, 22 March 2011 (UTC)Reply[reply]

Support - websites[edit]

I assume WP:CATALOG #4, #5 is about this list. We should not to list a website ONLY BECAUSE it has HSTS. We can list very famous web-services, such as Gmail, Facebook, Twitter - and the good indication of such is an long-lived article about this service: GMail, Facebook, Twitter. `a5b (talk) 18:27, 22 June 2011 (UTC)Reply[reply]

"Of course, the HSTS header can be stripped by the attacker if this is the user's first visit."[edit]

The HSTS header can only be sent over SSL. It may be worth mentioning that the attacker could perform a stripping attack to prevent the header from being sent, but I think the sentence should be removed in its current form.-- (talk) 15:23, 30 August 2011 (UTC)Reply[reply]

Agreed. The current wording is self-contradictory. A more correct description of the attack would be to use an SSL stripping to prevent the header from being communicated to the client. Kasperd (talk) 21:23, 25 September 2011 (UTC)Reply[reply]

Use of DNSSEC[edit]

The article mention of the possibility of using DNSSEC, but it doesn't tell how far the work is on standardizing the use of DNSSEC for this. Kasperd (talk) 21:23, 25 September 2011 (UTC)Reply[reply]

Use of HSTS without forcing all clients to use HTTPS should be added[edit]

It is possible to deploy HSTS so that a website can be accessed with and without HTTPS if wanted and I think this should be added to the article.

I.e. That HSTS is forced only to clients already accessing the site with HTTPS without forcing clients that access the site with HTTP to use HTTPS. This isnt currently clear and the article gives the impression that using HSTS forces everyone using a website to use HTTPS. Mayhaymate (talk) 11:36, 10 June 2012 (UTC)Reply[reply]

Browser Support and Implementation[edit]

Great article but some rather glaring omissions. The browser list doesn't mention IE and the implementation list doesn't mention IIS. There seem to be some other far less prevalent products listed. I wish I could help, but I'm sure someone out there could assist in providing this information for us Microsoft users. — Preceding unsigned comment added by (talk) 13:07, 15 March 2013 (UTC)Reply[reply]

Wget might not qualify as a browser, but version 1.17 and later implement HSTS support. — Preceding unsigned comment added by (talk) 18:15, 12 May 2017 (UTC)Reply[reply]

preload directive?[edit]

The RFC does not mention a preload directive or did I miss something? — Preceding unsigned comment added by (talk) 10:12, 12 March 2015 (UTC)Reply[reply]

Deployment Best Practices[edit]

The second bullet point is a little unclear:

  • I assume it should say something like "In addition to HSTS deployment, pages served by should trigger a browser request to ..." then I guess it might go on to suggest loading an empty javascript file or hidden image?
  • A source should be cited. (I have since found it under External Links but am not sure how to cite it: The State of HSTS Deployment: A Survey and Common Pitfalls) I have not found evidence of major sites implementing this (including referenced in the source) so maybe it is outdated somehow or not necessary once a domain is in the preload list.

Jimwrightbe (talk) 15:23, 5 January 2017 (UTC)Reply[reply]

In which way is HTTP insecure?[edit]

The article should not claim or suggest that HTTP is inherently insecure just because it is not encrypted. In case HTTP is inherently insecure, the article needs to explain how and why when suggesting that it is.

It is generally a very bad to give the impression that something which is encrypted is magically secure while something that is not encrypted is magically "insecure". No information and no data is secure, and no encryption is ultimately able to prevent that. — Preceding unsigned comment added by (talk) 14:09, 2 February 2020 (UTC)Reply[reply]

Mmm........... (talk) 09:49, 13 May 2023 (UTC)Reply[reply]