On 1 sept. 2014, at 19:31, Erik Romijn <[email protected]> wrote:
> If I were hosting a Django site on example.com, and enable HSTS with > includeSubdomains and a lifetime of 6 months, as seems to be common now, I > might not only break my own site, but also every other side under > example.com. Upon discovering the error it can be corrected, but not before a > unknown set of users has memorized that all of example.com and any site under > it must use HTTPS. This is not a theoretical scenario. I almost experienced it. We have a website, say, http://www.company.com/. We plan to deploy a Django-based replacement at https://www.company.com/something/. We're using a sub-URL for clarity. We're also taking this opportunity to enforce HTTPS, which should have been done long ago but is impractical due to technical debt (sigh). A sysadmin who's reasonably skilled but didn't have previous experience with nginx / gunicorn / Django had included HSTS in the nginx config file. If I hadn't reviewed that configuration, and it had gone live, whoever tried the replacement could not have gone back the legacy website and we'd lose their business. I don't know if Googlebot honors HSTS, but if it does, this could have killed the company! If we recommend HSTS, we need visible warnings and a small duration in examples, for people who copy-paste without reading. -- Aymeric. -- You received this message because you are subscribed to the Google Groups "Django developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/ED762E84-00D5-4DAE-8499-858340244C0E%40polytechnique.org. For more options, visit https://groups.google.com/d/optout.
