I ran across this today while auditing CSA services quarterly: In bl.ink URL redirection service, as of 2022-07-01 an improperly formatted security header exists in the HSTS support, specifically, the header served is \"strict-transport-security: max-age=63072000; includeSubdomains;\" which contains an extra semicolon (the final one is not needed), this may result in some client ignoring the HSTS header and thus rendering this security protection ineffective.
there's some stuff for inbound/input/malformed/configuration/directive/etc, but I'm not seeing anything for malformed outbound configuration/output. -- Kurt Seifried (He/Him) k...@seifried.org