On Nov 6, 2013, at 4:16 PM, Marco Davids (Prive) <mdavids@xxxxxxxxxx> wrote:
> On 05/11/13 20:38, Yoav Nir wrote:
>>> Enabling 'HTTP Strict Transport Security' (HSTS, RFC6797) might be a
>>> good first step.
>> HSTS means that HTTP is off (or just redirects you to HTTPS). The first S stands for "strict" and we mean it. :-)
>>
> Well, not entirely; the redirect is strictly not part of HSTS.
Sure it is:
7.2. HTTP Request Type
If an HSTS Host receives an HTTP request message over a non-secure
transport, it SHOULD send an HTTP response message containing a
status code indicating a permanent redirect, such as status code 301
(Section 10.3.2 of [RFC2616]), and a Location header field value
containing either the HTTP request's original Effective Request URI
(see Section 9 ("Constructing an Effective Request URI")) altered as
necessary to have a URI scheme of "https", or a URI generated
according to local policy with a URI scheme of "https".