Re: Testing W3C's HTTPS setup

On Thu, Oct 8, 2015 at 3:46 PM, Ted Guild <ted@w3.org> wrote:

> The problem comes from trying to combine HSTS (site wide) and upgrade
> insecure requests.
>

1. This is something that the signaling header is supposed to help with.
That is, if you know that your site requires the upgrade mechanism, then
you don't deliver an HSTS header unless that signal is present. That's item
#4 in the spec's recommendations:
https://w3c.github.io/webappsec-upgrade-insecure-requests/#recommendations.

2. Why is HSTS a requirement? It is certainly excellent when you're ready
to deploy it, but it's easily decoupled from the initial migration.

-mike

Received on Thursday, 8 October 2015 13:57:53 UTC