[Ach] HSTS Headers in Apache

Adi Kriegisch adi at kriegisch.at
Wed Sep 24 08:51:06 CEST 2014


> There's currently discussion going on whether or not we should accept
> this Pull Request on GitHub:
> https://github.com/BetterCrypto/Applied-Crypto-Hardening/pull/71
Interesting discussion! :)
"set" headers vs. "add" headers is a good catch. The same applies for nginx
where a non-core module is required to remove/replace preexisting headers.
Once we have consensus on how to deal with that, I'll fix the nginx (and
lighttpd section).
>     - on one hand overwriting any existing HSTS Headers makes sense so
> as not to merge/duplicate HSTS Header responses (problem stated in the
> github PR),
>     - on the other hand it hinders any web application to set it's own
> HSTS rules, if it were to be aware of HSTS (which some apps are)
> We'd kindly ask for your input.
The HSTS headers should be set by the web server; they are global on a
domain basis. No reason to respect the "feelings" of a single web app.

-- Adi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 827 bytes
Desc: Digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20140924/7d7e16d4/attachment.sig>

More information about the Ach mailing list