On 2015/07/17 20:51, Ted Unangst wrote: > Reyk Floeter wrote: > > On Fri, Jul 17, 2015 at 08:20:11PM -0400, Ted Unangst wrote: > > > Florian Obser wrote: > > > > OK? > > > > > > > > diff --git httpd.conf.5 httpd.conf.5 > > > > index b3eaad8..bfca29f 100644 > > > > --- httpd.conf.5 > > > > +++ httpd.conf.5 > > > > @@ -262,6 +262,18 @@ root directory of > > > > .Xr httpd 8 > > > > and defaults to > > > > .Pa /run/slowcgi.sock . > > > > +.It Ic hsts Oo Ar option Oc > > > > +Enable HTTP Strict Transport Security. > > > > > > Why this, but not also e.g. Public-Key-Pins or Content-Security? > > > > > > I think this quickly turns into a call for a generic add-header mechanism. > > > > > > > HSTS is a good thing and widely pushed, eg. by Google, in an effort to > > enforce HTTPS over HTTP. It is a useful security option and florian's > > implementation let's us enable it with one simple statement: "hsts". > > > > If we ever find out that we'd also do other things like > > Content-Security, we'll consider adding them as well. > > well, here's one list of headers that people may wish to use. > https://www.owasp.org/index.php/List_of_useful_HTTP_headers > > there are many similar "top five headers you need to use today!" lists and > blogs and such. hsts isn't unique. the key pinning and frame > options headers are also widely recommended. >
There are others outside of security too, like cache-control.