Do not default to preloading HSTS #727
Comments
|
Thanks for reporting this. I agree we should change it and looking back it wasn't a great idea :( I'll switch it and try to figure out a migration path or some instructions. |
swalkinshaw
added a commit
that referenced
this issue
Jan 7, 2017
Fix #727 - HSTS: default preload to off
|
@lgarron Wow! Thank you for taking action on my feedback! And @swalkinshaw thumbs up for the fast fix! |
10 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What is the current behavior?
The HSTS defaults include
nginx_hsts_preload: trueWhat is the expected or desired behavior?
Sites that enable HSTS should not send the
preloaddirectly by default.I was contacted by someone who unintentionally ended up on the preload list. Removal is slow and painful for such sites: https://hstspreload.org/#removal
(I deal with multiple removal requests daily.)
Preloaded HSTS should never be the default setting. It has no effect unless the site is submitted to https://hstspreload.org , which should be done with the knowledge and consent of the site operator. It's fine to encourage preloaded HSTS, but it should be an explicit opt-in.
I would send a pull request to change the default value, but I don't know how to handle the migration path for existing project that rely on the default value to stay preloaded. However, the setting should be
falsefor new projects.The text was updated successfully, but these errors were encountered: