Confirmed users
65
edits
Gdestuynder (talk | contribs) (Automated sync from https://github.com/mozilla/wikimo_content) |
(Automated sync from https://github.com/mozilla/wikimo_content) |
||
Line 237: | Line 237: | ||
* <tt>preload:</tt> whether the site should be included in the [https://hstspreload.appspot.com/ HSTS preload list] | * <tt>preload:</tt> whether the site should be included in the [https://hstspreload.appspot.com/ HSTS preload list] | ||
<tt>max-age</tt> must be set to a minimum of six months (15768000), but longer periods such as | <tt>max-age</tt> must be set to a minimum of six months (15768000), but longer periods such as two years (63072000) are recommended. Note that once this value is set, the site must continue to support HTTPS until the expiry time has been reached. | ||
<tt>includeSubDomains</tt> notifies the browser that all subdomains of the current origin should also be upgraded via HSTS. For example, setting <tt>includeSubDomains</tt> on <tt>domain.mozilla.com</tt> will also set it on <tt>host1.domain.mozilla.com</tt> and <tt>host2.domain.mozilla.com</tt>. Extreme care is needed when setting the <tt>includeSubDomains</tt> flag, as it could disable sites on subdomains that don't yet have HTTPS enabled. | <tt>includeSubDomains</tt> notifies the browser that all subdomains of the current origin should also be upgraded via HSTS. For example, setting <tt>includeSubDomains</tt> on <tt>domain.mozilla.com</tt> will also set it on <tt>host1.domain.mozilla.com</tt> and <tt>host2.domain.mozilla.com</tt>. Extreme care is needed when setting the <tt>includeSubDomains</tt> flag, as it could disable sites on subdomains that don't yet have HTTPS enabled. | ||
Line 245: | Line 245: | ||
=== Examples === | === Examples === | ||
<pre># Only connect to this site via HTTPS for the | <pre># Only connect to this site via HTTPS for the two years (recommended) | ||
Strict-Transport-Security: max-age= | Strict-Transport-Security: max-age=63072000</pre> | ||
<pre># Only connect to this site and subdomains via HTTPS for the next | <pre># Only connect to this site and subdomains via HTTPS for the next two years and also include in the preload list | ||
Strict-Transport-Security: max-age= | Strict-Transport-Security: max-age=63072000; includeSubDomains; preload</pre> | ||
=== See Also === | === See Also === |