|
|
|
|
|
|
by 8organicbits
1098 days ago
|
|
|
I suspect well written docs avoid pushing HSTS and HSTS preload too hard. On first pass it sounds like a great security tool, so people rush to enable it, but then many have issues. When your HSTS preload setting gets hardcoded into a browser, you can't remove it. You've got to wait for all your users to update. I think the Cloudflare recommendation is based on the Qualys tool, which uses six months as their recommendation. Interestingly, Twitter is using 631138519 seconds (20 years) for their setting, so they are extra confident. |
|
|