Re: HSTS Misuse

On 23 May 2016, at 2:03 PM, Dennis Olvany <> wrote:

> For lack of some prior discussion of this caveat, it would be great to hear some opinions. While it is possible for a server provider to give the domain owner the choice to enable hsts, I have concluded that it may be best for a 3rd party to never implement hsts on a domain owner's behalf. This would altogether prevent the caveat for an unwitting domain owner.

Sending an HSTS header makes a statement that this domain (possibly including subdomains) is HTTPS-only for up to max-age.

If I’m the administrator for the service and I’m configuring my own server then yes, I can make this statement. 

If I’m providing the server as a service, whether I’m a CDN or just a hosting service, I would have to have a long talk with the customer to make sure they understand the benefits and implications (“If we set this header, it’s protecting you against some kinds of SSL stripping attacks, but you can’t revert to HTTP at will: you’ll have to wait for so many days”)  I don’t think this matches the way of doing business for most CDNs and hosting services, except for their very large customers.


Received on Tuesday, 24 May 2016 13:17:39 UTC