Security: Use HSTS preload #12
Labels
bug
Something isn't working
enhancement
New feature or request
help wanted
Extra attention is needed
Describe the bug
Add our site to the HSTS preload list so HSTS is active for our site in browsers by default. Our HSTS policy is only active in a browser after that browser sees a response from our site with an HSTS response header. This means new visitors will be vulnerable to exploits if they initially visit our site using an insecure HTTP URL. To eliminate this attack vector, add site to the "HSTS preload list" so browsers will apply HSTS to a site by default even before a first visit. To add our site to the list, our
Strict-Transport-Security
header for all responses on all subdomains should have amax-age
setting of at least 1 year (31,536,000 seconds) and both theincludeSubDomains
andpreload
options should be set. The headerStrict-Transport-Security: max-age=31536000; includeSubDomains; preload
meets these requirements. Take care to get the capitalisation right for each option such as forincludeSubDomains
.To Reproduce
Preload set: None
Include subdomains: None
HSTS expiry: 31,536,000
Expected behavior
Once this is done, we can submit our site to https://hstspreload.org/ for inclusion in the HSTS preload list. Warning: As with enabling HSTS, we must be confident we won't need to disable HTTPS in the future. Removing ourself from the HSTS preload list may take some time and browsers might not keep their list up to date.
The text was updated successfully, but these errors were encountered: