On Fri, Jul 17, 2015 at 08:51:54PM -0400, Ted Unangst wrote: > Reyk Floeter wrote: > > On Fri, Jul 17, 2015 at 08:20:11PM -0400, Ted Unangst wrote: > > > Florian Obser wrote: > > > > OK? > > > > > > > > diff --git httpd.conf.5 httpd.conf.5 > > > > index b3eaad8..bfca29f 100644 > > > > --- httpd.conf.5 > > > > +++ httpd.conf.5 > > > > @@ -262,6 +262,18 @@ root directory of > > > > .Xr httpd 8 > > > > and defaults to > > > > .Pa /run/slowcgi.sock . > > > > +.It Ic hsts Oo Ar option Oc > > > > +Enable HTTP Strict Transport Security. > > > > > > Why this, but not also e.g. Public-Key-Pins or Content-Security? > > > > > > I think this quickly turns into a call for a generic add-header mechanism. > > > > > > > HSTS is a good thing and widely pushed, eg. by Google, in an effort to > > enforce HTTPS over HTTP. It is a useful security option and florian's > > implementation let's us enable it with one simple statement: "hsts". > > > > If we ever find out that we'd also do other things like > > Content-Security, we'll consider adding them as well. > > well, here's one list of headers that people may wish to use. > https://www.owasp.org/index.php/List_of_useful_HTTP_headers > > there are many similar "top five headers you need to use today!" lists and > blogs and such. hsts isn't unique. the key pinning and frame > options headers are also widely recommended.
Sure, but how is this related to florian's diff? Do you say "we cannot do HSTS now because we have to support all other popular headers or a generic mechanism first"? That doesn't help us. HSTS is simply the most wanted. At least by our users and ourselves. Additionally, we also want to make it simple by hiding the complexity with good defaults and without the need that the users have to study the List_of_useful_HTTP_headers and their various buttons first to program their own custom HTTP configurations. Reyk
