|
|
|
|
|
|
by peterwwillis
4443 days ago
|
|
|
HSTS should be an implicit browser feature, not a server-side add-on. There should not need to be a server-side flag required to enforce this behavior. If you go to an HTTPS page on a given domain, your browser should always prefer the HTTPS page, even if you try to follow an HTTP page. The reason is, if you were able to reach the page via HTTPS before, you should be able to reach it there again, and HTTP would only expose you to an unencrypted page which is more than likely the same in content. The only downside is that sometimes HTTPS and HTTP URIs serve different resources even though the URI is the same (which I believe should be considered bad behavior by the web server) Requiring admins to enable HSTS puts the onus on web server admins who are motivated to improve security for their users a tiny bit, and only works for admins who have servers that can support HSTS flags. There are many legacy systems which simply can't or won't be changed to support it. Hopefully the above behavior gets put into the HTTP 2.0 standard so admins don't need to go through a checkist of add-on security measures every time they create a new web server instance. |
|
|