Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Consider dropping HSTS preloading #1102

Closed
florimondmanca opened this issue Jul 30, 2020 · 1 comment · Fixed by #1110
Closed

Consider dropping HSTS preloading #1102

florimondmanca opened this issue Jul 30, 2020 · 1 comment · Fixed by #1110
Labels
tls+pki Issues and PRs related to TLS and PKI
Milestone

Comments

@florimondmanca
Copy link
Member

Prompted by #1025 (comment)

Issues like #1025 should prompt us to reconsider whether using HSTS preloading from a server-side client (introduced via #151) is a sensible thing to do at all.

Key points of reasoning here:

Some options are:

  • Add a toggle so that HSTS preload becomes opt-in or opt-out.
  • Drop HSTS functionality entirely.

Given all the context points above, we might want to just go with option 2).

@florimondmanca florimondmanca added the tls+pki Issues and PRs related to TLS and PKI label Jul 30, 2020
@florimondmanca florimondmanca added this to the v1.0 milestone Jul 30, 2020
@StephenBrown2
Copy link
Contributor

My vote is for Add a toggle so that HSTS preload becomes opt-in, though for 1.0 it might be better to reduce the surface area and drop it entirely.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
tls+pki Issues and PRs related to TLS and PKI
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants