On Sun, Nov 8, 2009 at 9:42 PM, Bil Corry <bil@corry.biz> wrote: > How does the server identify the STS clients? If there isn't a way (which I don't believe there is), then given the STS requirement that a server should redirect from non-HTTPS to HTTPS, what does that mean for UAs that don't understand STS -- does the best practice of not redirecting to HTTPS still apply[2]? > > [2] OWASP: Rule - Do Not Perform Redirects from Non-TLS Page to TLS Login Page > http://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet#Rule_-_Do_Not_Perform_Redirects_from_Non-TLS_Page_to_TLS_Login_Page It seems like a stretch to call this a "best practice" since it is so rarely followed. What major web sites follow this practice?Received on Monday, 9 November 2009 14:59:51 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:43:22 GMT