Hacker News new | ask | show | jobs
by iancarroll 4255 days ago
https://hstspreload.appspot.com/ says they don't use HSTS as a preload. They should...
3 comments
Wilya 4255 days ago
Facebook seems to be doing some client sniffing to decide whether to set the headers..

In my browser (FF nightly), I see the HSTS header, with the value: "max-age=15552000; preload"

If I do a request with curl, no header... (which is probably what this app sees).

I don't have a clue why they are doing that, though. Not that curl would do something with the HSTS header anyway, but still...

link
zokier 4255 days ago
Facebook has HSTS preload on www.facebook.com, but not on the redirect from facebook.com->www.facebook.com. I suppose they have their reasons
link
ma2rten 4255 days ago
Google.com also doesn't seem to have it.
link
iancarroll 4253 days ago
Google only uses a certificate pin and doesn't force SSL. Sadly.
link