Re: Sec-Scheme request header?

> On 14 Apr 2016, at 5:52 PM, Mike West <> wrote:
> I'm a little worried about terminating TLS somewhere, but carrying a "totally secure" indicator through various proxies and etc. until reaching an origin server. Doesn't that seem more confusing and problematic than status quo? "SSL added and removed here", and etc.

It's not a totally secure indicator; it's an indicator of what state the client is in WRT scheme. That state isn't explicit now, so server-side software has to guess.

This is something that would be really useful for disambiguating things in cases where the same server-side code is handling both HTTP and HTTPS URLs. 

The Opportunistic Security draft was one place this came up; I'm wondering if it'd be useful in other ways.

To be clear, I'm not pushing this, just wondering out loud.


Mark Nottingham

Received on Thursday, 14 April 2016 08:01:24 UTC