[Ach] Redirect from HTTP to HTTPS and the big bad Host header - Github Pull #100

Aaron Zauner azet at azet.org
Fri Apr 3 13:04:28 CEST 2015

Hi Hanno,

Hanno Böck wrote:
> There's nothing to secure here, because it is insecure by design. If
> you're worried use HSTS. If you're worried even more let your domain be
> preloaded into the browsers (just did that with mine).

As you know the HSTS RFC specifies that HSTS headers are only valid once
transmitted via a secure connection (i.e. HTTPS). The initial redirect,
hence upgrade makes a lot of sense. From there on we're with HSTS. These
301's are of course _not_ a replacement for HSTS, but for initial
upgrade they do quite well in my opinion.

I'm also fine with changing $host: user controlled stuff is always an
attack surface.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20150403/c1b311a2/attachment.sig>

More information about the Ach mailing list