Re: https at ietf.org

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Nov 6, 2013, at 4:16 PM, Marco Davids (Prive) <mdavids@xxxxxxxxxx> wrote:

> On 05/11/13 20:38, Yoav Nir wrote:
>>> Enabling 'HTTP Strict Transport Security' (HSTS, RFC6797) might be a
>>> good first step.
>> HSTS means that HTTP is off (or just redirects you to HTTPS). The first S stands for "strict" and we mean it. :-)
>> 
> Well, not entirely; the redirect is strictly not part of HSTS. 

Sure it is:

7.2.  HTTP Request Type

   If an HSTS Host receives an HTTP request message over a non-secure
   transport, it SHOULD send an HTTP response message containing a
   status code indicating a permanent redirect, such as status code 301
   (Section 10.3.2 of [RFC2616]), and a Location header field value
   containing either the HTTP request's original Effective Request URI
   (see Section 9 ("Constructing an Effective Request URI")) altered as
   necessary to have a URI scheme of "https", or a URI generated
   according to local policy with a URI scheme of "https".







[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]