Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Consider disabling HSTS by default #741

Open
retlehs opened this issue Jan 23, 2017 · 1 comment
Open

Consider disabling HSTS by default #741

retlehs opened this issue Jan 23, 2017 · 1 comment

Comments

@retlehs
Copy link
Member

@retlehs retlehs commented Jan 23, 2017

moving our internal discussion from this weekend onto here so we don't forget about it

Let’s say you have HSTS enabled. At some point something (pick a scary thing…any scary thing will do) goes wrong with your SSL configuration and your server is unable to serve a secure request. Your server cannot fulfill the secure request, but the browser (because of the HSTS header) cannot request anything that is insecure. You’re at an impasse and your visitor cannot see the content or asset in question. This remains the case until either your SSL configuration is restored or the HSTS header expires. Now imagine you’re running a large site with multiple teams and lots of moving parts and you see just how scary this issue could be.

Because of this risk, HSTS has to be an option that a user must specify in Let’s Encrypt—despite its importance.

@tmdk

This comment has been minimized.

Copy link

@tmdk tmdk commented Feb 2, 2017

At the very least, consider turning off includeSubdomains as a default. I've been bitten by this (external service hosted on a subdomain that does not support https)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.