Page 1 of 1
HowTo: Strict-Transport-Security query
Posted: Fri Jan 07, 2011 1:29 pm
by Dukeswharf
Am I correct in assuming that the following code can be written in 'https-> force the following...'
secure.informaction.com Strict-Transport-Security: max-age=31536000; includeSubdomains;
paypal.com Strict-Transport-Security: max-age=31536000; includeSubdomains
to ensure STS for both specified sites?
Re: HowTo: Strict-Transport-Security query
Posted: Fri Jan 07, 2011 1:44 pm
by Giorgio Maone
For sites which do implement STS, like the two you're mentioning, HTTPS enforcement is transparent and automatic. You don't need to do anything.
For other sites you can force HTTPS by just adding their domains in the box.
Re: HowTo: Strict-Transport-Security query
Posted: Fri Jan 07, 2011 2:28 pm
by Dukeswharf
Just to be clear,
are you saying that:
1. NoScript automatically handles sites which support STS?
2. The code I exampled is redundant, or is there an instance where:
domain.com Strict-Transport-Security: max-age=31536000; includeSubdomains;
would be used?
Re: HowTo: Strict-Transport-Security query
Posted: Fri Jan 07, 2011 2:56 pm
by Giorgio Maone
Dukeswharf wrote:are you saying that:
1. NoScript automatically handles sites which support STS?
2. The code I exampled is redundant
Yes to both.
Re: HowTo: Strict-Transport-Security query
Posted: Fri Jan 07, 2011 3:13 pm
by Dukeswharf
Excellent!
So I can dispose of both HTTPS-Everywhere and Force-STS/STS UI (FireFox 4.0b8) by simply specifying domains in 'https-> force the following...'?
Re: HowTo: Strict-Transport-Security query
Posted: Fri Jan 07, 2011 4:01 pm
by Giorgio Maone
Dukeswharf wrote:Excellent!
So I can dispose of both HTTPS-Everywhere and Force-STS/STS UI (FireFox 4.0b8) by simply specifying domains in 'https-> force the following...'?
Yep.