Hacker News new | ask | show | jobs
by merb 2946 days ago
> That's why there is the HSTS preload list

which has the following requirements: 1. Serve a valid certificate. 2. Redirect from HTTP to HTTPS on the same host, if you are listening on port 80.

oops.
1 comments
bjpbakker 2945 days ago
In the second part of that sentence:

> if you are listening on port 80

You don’t have to accept trafic on the http port for HSTS preloading. But iff you do you must redirect it.

This rule makes sense; at least you should never serve content over http.

link
gjs278 2945 days ago
not everyone's browser has that list. if you turn off port 80, at no point will the browser that doesn't have this list be able to connect to your website.
link
bjpbakker 2945 days ago
Except for Opera Mini and UC (Android), all modern browsers do. That’s over 85% of global usage. [0]

[0] https://caniuse.com/#feat=stricttransportsecurity

link
gjs278 2945 days ago
https://www.reddit.com/r/AskNetsec/comments/6mo4lt/how_long_...

checkmate

link