[Ach] few suggestions: HSTS, code / config snippets

Martin Rublik martin.rublik at gmail.com
Sun Jan 12 19:06:05 CET 2014

On 9. 1. 2014 12:13, Martin Rublik wrote:
> 1. HSTS and HTTPS redirects
> ---------------------------
> I quickly skimmed through the document and saw no explanation of HSTS / HTTPS
> redirects. I think it would be nice to add a short explanation of HSTS before
> recommending.
> Especially it would be nice to point out that one should avoid HSTS for OCSP and
> CRL distribution point URIs.
> I guess the topic on HSTS / HTTPS redirects would fit in theory part along with
> a little explanation of SSL/TLS, or at least as a note in references in the
> Webservers section. One could cite at least RFC 6797 (at least section 11
> https://tools.ietf.org/html/rfc6797#section-11 ) and OWASP
> https://www.owasp.org/index.php/HTTP_Strict_Transport_Security

OK, if there are no objections I'll try to prepare a few paragraphs on deploying
HSTS, perhaps an introduction to SSL/TLS (in theory section) would not harm as well.


More information about the Ach mailing list