Re: Thoughts on HSTS

Nice work, Daniel.

In Apache I can preload certain servers, because it is pretty safe to assume that ACME servers do not migrated to http:

But the persistence seems not usable. I cannot specify a file to libcurl, as process privileges will change during the lifetime of the server and also because it will live in several child processes.

Would it be an idea to let the hosting application provide some sort of persistence callbacks? Or is there already such a thing?

Cheers, Stefan

> Am 31.08.2020 um 23:56 schrieb Daniel Stenberg via curl-library <curl-library_at_cool.haxx.se>:
>
> Hi!
>
> HTTP Strict Transport Security (HSTS) is (simply put) a way for an HTTPS server to say that the host name should not be accessed over HTTP, only HTTPS - for a set number of seconds into the future.
>
> I've started to work on an implementation for curl and while doing so, I've put down some ideas in the wiki on how to interface this from curl and libcurl. I'm interested in feedback:
>
> https://github.com/curl/curl/wiki/HSTS
>
> (In a completely unscientific poll on twitter, 60% of the 559 persons who answered said they'd like to see HSTS support added to curl: https://twitter.com/bagder/status/1299357395357925376)
>
> --
>
> / daniel.haxx.se | Commercial curl support up to 24x7 is available!
> | Private help, bug fixes, support, ports, new features
> | https://www.wolfssl.com/contact/
> -------------------------------------------------------------------
> Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
> Etiquette: https://curl.haxx.se/mail/etiquette.html

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2020-09-02