HowTo: Strict-Transport-Security query

Dukeswharf · Post by **Dukeswharf** » Fri Jan 07, 2011 1:29 pm

Am I correct in assuming that the following code can be written in 'https-> force the following...'

secure.informaction.com Strict-Transport-Security: max-age=31536000; includeSubdomains;
paypal.com Strict-Transport-Security: max-age=31536000; includeSubdomains

to ensure STS for both specified sites?

Post by **Giorgio Maone** » Fri Jan 07, 2011 1:44 pm

For sites which do implement STS, like the two you're mentioning, HTTPS enforcement is transparent and automatic. You don't need to do anything.
For other sites you can force HTTPS by just adding their domains in the box.

Dukeswharf · Post by **Dukeswharf** » Fri Jan 07, 2011 2:28 pm

Just to be clear,

are you saying that:

1. NoScript automatically handles sites which support STS?
2. The code I exampled is redundant, or is there an instance where:

domain.com Strict-Transport-Security: max-age=31536000; includeSubdomains;

would be used?

Post by **Giorgio Maone** » Fri Jan 07, 2011 2:56 pm

Dukeswharf wrote:are you saying that:

1. NoScript automatically handles sites which support STS?
2. The code I exampled is redundant

Yes to both.

Dukeswharf · Post by **Dukeswharf** » Fri Jan 07, 2011 3:13 pm

Excellent!

So I can dispose of both HTTPS-Everywhere and Force-STS/STS UI (FireFox 4.0b8) by simply specifying domains in 'https-> force the following...'?

Post by **Giorgio Maone** » Fri Jan 07, 2011 4:01 pm

Dukeswharf wrote:Excellent!

So I can dispose of both HTTPS-Everywhere and Force-STS/STS UI (FireFox 4.0b8) by simply specifying domains in 'https-> force the following...'?

Yep.

InformAction Forums

HowTo: Strict-Transport-Security query

HowTo: Strict-Transport-Security query

Re: HowTo: Strict-Transport-Security query

Re: HowTo: Strict-Transport-Security query

Re: HowTo: Strict-Transport-Security query

Re: HowTo: Strict-Transport-Security query

Re: HowTo: Strict-Transport-Security query