[Ach] Redirect from HTTP to HTTPS and the big bad Host header - Github Pull #100
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Fri Apr 3 16:18:22 CEST 2015
On Fri 2015-04-03 07:04:28 -0400, Aaron Zauner wrote:
> Hanno Böck wrote:
>> There's nothing to secure here, because it is insecure by design. If
>> you're worried use HSTS. If you're worried even more let your domain be
>> preloaded into the browsers (just did that with mine).
> As you know the HSTS RFC specifies that HSTS headers are only valid once
> transmitted via a secure connection (i.e. HTTPS). The initial redirect,
> hence upgrade makes a lot of sense. From there on we're with HSTS. These
> 301's are of course _not_ a replacement for HSTS, but for initial
> upgrade they do quite well in my opinion.
I think Hanno's argument was not that we should continue to recommend
$host here, but that from a security perspective, the user relying on
good configuration here is lost anyway.
> I'm also fine with changing $host: user controlled stuff is always an
> attack surface.
I agree with this, but it's a little frustrating that it makes the
documentation harder to write cleanly.
Would $server_name be an acceptable substitution?
More information about the Ach