Hacker News new | ask | show | jobs
by digitalsushi 4435 days ago
Yes! And boy, it's not something you want to just enable without some thought.

I enabled it on a site that works without Host: inspection. HTTP gets you site A, and HTTPS gets you site B. (Different hostnames). This is obviously an odd arrangement, but it was working well for our little niche requirement.

I enabled HSTS in nginx while I was scrambling to do the heartbleed patch. I enabled all sorts of new age HTTPS options: HSTS, cert stapling, heavier ciphersuites, et cetera.

Of course, the HSTS started forcing all my HTTP users on site A over to site B, and I looked quite the fool. (Which is fair, because what I did was foolish and I deserved a little ridicule)

It's a neat option and maybe even the base case allows for it, but think about it before you flip it on!
1 comments
abarth 4435 days ago
I'd recommend starting out with a small max-age value so that any mistaken records will expire quickly. (Disclosure: I'm a co-editor of the HSTS RFC.)
link
gellerb 4435 days ago
Yeah. I noticed that paypal.com has a max-age of 4 hours.
link
rhoml 4435 days ago
Maybe the first step to avoid issues is to enforce SSL which is easy on any webserver before going HSTS.
link
d0ugie 4435 days ago
Is there any downside, when using SSL, in enabling perfect forward secrecy?
link
JshWright 4435 days ago
Make sure you're using an SSL library that support ECDHE cipher suites... the non EC suites are very slow.
link