New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HSTS without IncludeSubdomains is often useless #22663
Conversation
1) Because if you forget to add Secure; to the session cookie, it will leak to http:// subdomain in some cases 2) Because http:// subdomain can Cookie Bomb/cookie force main domain or be used for phishing. That's why *by default* it must include subdomains as it's much more common scenario. Very few websites *intend* to leave their blog.app.com working over http:// while having everything else encrypted. Yes, many developers forget to add subdomains=true by default, believe me :)
r? @senny (@rails-bot has picked a reviewer for you, use r? to override) |
I tend to agree (but put a good warning somewhere in the docs). Without IncludeSubdomains it also does not save you from https://example.com -> http://www.example.com redirects. https://twitter.com/jgrahamc/status/677829158366543872 |
Agree, but it's a breaking change. Path forward:
|
@homakov are you working on Jeremy's suggestions? Otherwise I can start off on your branch and work on suggestions. |
r? @jeremy |
@prathamesh-sonpatki no, I dont code. Feel free to help thanks. |
@homakov Thanks, I will work on Jeremy's suggestions. |
I have a branch locally, will get it wrapped in next few days. |
@prathamesh-sonpatki Did you look into this? |
Yes, I am working on it. |
Closing in favor of #23852 |
That's why by default it must include subdomains as it's much more common scenario. Very few websites intend to leave their blog.app.com working over http:// while having everything else encrypted.
Yes, many developers forget to add subdomains=true manually, believe me :)