Willy, Am 19.03.2018 um 22:15 schrieb Willy Tarreau: > Looks like it indeed. By then there was no "http-request" ruleset > either. Maybe we could move it to a place where it's generated > earlier, or maybe we could ensure that it's computed on the fly > when the associated sample fetch function is called for %ID (I > didn't remember it was available like this).
Is there some specific place I should file this "bug" report or is my email sufficient for you to keep track of? >> >> Here's two more that came into my mind: >> >> - Expect-CT >> - Public-Key-Pins (a.k.a. HPKP) >> >> Both are deeply related to HSTS due do being TLS security headers. The >> latter is being deprecated by the browsers, because of footgun issues, >> though. The former is fairly new. > > Yes it's still a draft (unless I missed the announce). > Expect-CT technically still is a draft , but it is implemented since Google Chrome 61 . Personally I know that Cloudflare already is setting that header on their responses. HPKP is deprecated in Google Chrome and header processing will be removed for Chrome 67 (which is due in May). Best regards Tim Düsterhus  https://tools.ietf.org/html/draft-ietf-httpbis-expect-ct-02  https://www.chromestatus.com/feature/5677171733430272  https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/he9tr7p3rZ8/eNMwKPmUBAAJ