Strict Transport Security #34
Comments
|
You're right you can't revoke it, but it doesn't affect referenced URLs. It does two things:
|
Yes; what I meant is that once we've decided to switch to HTTPS and switched on Strict Transport Security, there is no going back to HTTP in the future. Therefore, any scenario that might arise where HTTP resources need to be included (either existing or in the future) will not be possible, so such a change to enable Strict Transport Security must be done with this in mind. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Once full-HTTPS has been in place for a while, we should enable Strict Transport Security, using:
We should only add this once happy that there are no confirmed situations where mixed content could arise, either existing, or in the future (e.g. embedding third-party images if auto-pull from another site is being done).
So I think this needs to be added cautiously; my experience so far is that you absolutely have to get it right first time, as you can't back out - a browser (as designed) caches the instruction for the given time.
The text was updated successfully, but these errors were encountered: