[Rack] forcing our hands w/ TLS by setting includeSubdomains on noisebridge.net HSTS
Rubin Abdi
rubin at starset.net
Fri Apr 8 18:08:56 UTC 2016
What happens if someone types in http://noisebridge.net? There are plenty
of links out there leading to us without SSL.
On 8 April 2016 at 10:56, Patrick O'Doherty <p at trickod.com> wrote:
> hey folks,
>
> Since the GA of LetsEncrypt I've wanted to make it a pattern that all
> noisebridge services operate over TLS.
>
> It occurred to me this morning that we could theoretically force our own
> hands with this by setting the includeSubdomains flag on the HSTS header
> on noisebridge.net, meaning that any service that we run on a subdomain
> *must* run over HTTPS. [0]
>
> I know there's a few subdomains like lists.noisebridge.net which would
> need to be upgraded immediately, but I can take care of that.
>
> Is there any good reason *not* to do this?
>
> p
>
> [0] -
>
> https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security
>
>
> _______________________________________________
> Rack mailing list
> Rack at lists.noisebridge.net
> https://www.noisebridge.net/mailman/listinfo/rack
>
>
--
Rubin
rubin at starset.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.noisebridge.net/pipermail/rack/attachments/20160408/0582c64e/attachment-0003.html>
More information about the Rack
mailing list