Confirmed users
65
edits
Security/Guidelines/Web Security: Difference between revisions
Security/Guidelines/Web Security (view source)
Revision as of 00:01, 22 January 2017
, 22 January 2017Automated sync from https://github.com/mozilla/wikimo_content
Gdestuynder (talk | contribs) (Automated sync from https://github.com/mozilla/wikimo_content) |
(Automated sync from https://github.com/mozilla/wikimo_content) |
||
| Line 237: | Line 237: | ||
* <tt>preload:</tt> whether the site should be included in the [https://hstspreload.appspot.com/ HSTS preload list] | * <tt>preload:</tt> whether the site should be included in the [https://hstspreload.appspot.com/ HSTS preload list] | ||
<tt>max-age</tt> must be set to a minimum of six months (15768000), but longer periods such as | <tt>max-age</tt> must be set to a minimum of six months (15768000), but longer periods such as two years (63072000) are recommended. Note that once this value is set, the site must continue to support HTTPS until the expiry time has been reached. | ||
<tt>includeSubDomains</tt> notifies the browser that all subdomains of the current origin should also be upgraded via HSTS. For example, setting <tt>includeSubDomains</tt> on <tt>domain.mozilla.com</tt> will also set it on <tt>host1.domain.mozilla.com</tt> and <tt>host2.domain.mozilla.com</tt>. Extreme care is needed when setting the <tt>includeSubDomains</tt> flag, as it could disable sites on subdomains that don't yet have HTTPS enabled. | <tt>includeSubDomains</tt> notifies the browser that all subdomains of the current origin should also be upgraded via HSTS. For example, setting <tt>includeSubDomains</tt> on <tt>domain.mozilla.com</tt> will also set it on <tt>host1.domain.mozilla.com</tt> and <tt>host2.domain.mozilla.com</tt>. Extreme care is needed when setting the <tt>includeSubDomains</tt> flag, as it could disable sites on subdomains that don't yet have HTTPS enabled. | ||
| Line 245: | Line 245: | ||
=== Examples === | === Examples === | ||
<pre># Only connect to this site via HTTPS for the | <pre># Only connect to this site via HTTPS for the two years (recommended) | ||
Strict-Transport-Security: max-age= | Strict-Transport-Security: max-age=63072000</pre> | ||
<pre># Only connect to this site and subdomains via HTTPS for the next | <pre># Only connect to this site and subdomains via HTTPS for the next two years and also include in the preload list | ||
Strict-Transport-Security: max-age= | Strict-Transport-Security: max-age=63072000; includeSubDomains; preload</pre> | ||
=== See Also === | === See Also === | ||