Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Do not enable HSTS preload by default #42

Merged
merged 1 commit into from
Nov 4, 2019
Merged

Do not enable HSTS preload by default #42

merged 1 commit into from
Nov 4, 2019

Conversation

JaZo
Copy link
Contributor

@JaZo JaZo commented Oct 31, 2019

Preloading Should Be Opt-In

If you maintain a project that provides HTTPS configuration advice or provides an option to enable HSTS, do not include the preload directive by default. We get regular emails from site operators who tried out HSTS this way, only to find themselves on the preload list by the time they find they need to remove HSTS to access certain subdomains. Removal tends to be slow and painful for those sites.

It's great to support HSTS preloading as a best practice, and for projects to provide a simple option to enable it. However, site operators who enable HSTS should know about the long-term consequences of preloading before they turn it on for a given domain. They should also be informed that they need to meet additional requirements and submit their site to hstspreload.org to ensure that it is successfully preloaded (i.e. to get the full protection of the intended configuration).

Source: https://hstspreload.org/#opt-in

@bepsvpt bepsvpt merged commit ddfbedc into bepsvpt:master Nov 4, 2019
@bepsvpt
Copy link
Owner

bepsvpt commented Nov 4, 2019

@JaZo Thanks a lot.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@JaZo @bepsvpt