You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
Add our site to the HSTS preload list so HSTS is active for our site in browsers by default. Our HSTS policy is only active in a browser after that browser sees a response from our site with an HSTS response header. This means new visitors will be vulnerable to exploits if they initially visit our site using an insecure HTTP URL. To eliminate this attack vector, add site to the "HSTS preload list" so browsers will apply HSTS to a site by default even before a first visit. To add our site to the list, our Strict-Transport-Security header for all responses on all subdomains should have a max-age setting of at least 1 year (31,536,000 seconds) and both the includeSubDomains and preload options should be set. The header Strict-Transport-Security: max-age=31536000; includeSubDomains; preload meets these requirements. Take care to get the capitalisation right for each option such as for includeSubDomains.
To Reproduce
Preload set: None
Include subdomains: None
HSTS expiry: 31,536,000
Expected behavior
Once this is done, we can submit our site to https://hstspreload.org/ for inclusion in the HSTS preload list. Warning: As with enabling HSTS, we must be confident we won't need to disable HTTPS in the future. Removing ourself from the HSTS preload list may take some time and browsers might not keep their list up to date.
The text was updated successfully, but these errors were encountered:
Describe the bug
Add our site to the HSTS preload list so HSTS is active for our site in browsers by default. Our HSTS policy is only active in a browser after that browser sees a response from our site with an HSTS response header. This means new visitors will be vulnerable to exploits if they initially visit our site using an insecure HTTP URL. To eliminate this attack vector, add site to the "HSTS preload list" so browsers will apply HSTS to a site by default even before a first visit. To add our site to the list, our
Strict-Transport-Security
header for all responses on all subdomains should have amax-age
setting of at least 1 year (31,536,000 seconds) and both theincludeSubDomains
andpreload
options should be set. The headerStrict-Transport-Security: max-age=31536000; includeSubDomains; preload
meets these requirements. Take care to get the capitalisation right for each option such as forincludeSubDomains
.To Reproduce
Preload set: None
Include subdomains: None
HSTS expiry: 31,536,000
Expected behavior
Once this is done, we can submit our site to https://hstspreload.org/ for inclusion in the HSTS preload list. Warning: As with enabling HSTS, we must be confident we won't need to disable HTTPS in the future. Removing ourself from the HSTS preload list may take some time and browsers might not keep their list up to date.
The text was updated successfully, but these errors were encountered: