Hi, Am 15.11.20 um 15:47 schrieb Maciej Jaros: > It seems there are no HSTS headers for openoffice.org. There should > also be redirects to HTTPS. > > Note that this is kind of important because (within months) executable > downloads will be forbidden over HTTP. It actually should have > happened with Chrome 85, but I believe it was delayed due to covid (as > was TLS 1.0 depreciation).
"Soft" or "hard" redirection, which was discussed here, is something different than redirection from HTTP to HTTPS. I think permanent redirection to HTTPS will be addressed with the ongoing switch to our new CMS. Regards, Matthias > >> curl -s -D - "http://openoffice.org/"; -o nul >> HTTP/1.1 302 Found >> Date: Sun, 15 Nov 2020 14:00:20 GMT >> Server: Apache/2.4.18 (Ubuntu) >> Location: http://www.openoffice.org/ >> Content-Length: 210 >> Content-Type: text/html; charset=iso-8859-1 > > This should be: >> Location: https://www.openoffice.org/ > > > This should also redirect with 302 instead of 200. >> curl -s -D - "http://www.openoffice.org/"; -o nul >> HTTP/1.1 200 OK >> Date: Sun, 15 Nov 2020 14:00:34 GMT >> Server: Apache/2.4.18 (Ubuntu) >> Accept-Ranges: bytes >> Vary: Accept-Encoding >> Transfer-Encoding: chunked >> Content-Type: text/html > > And once that is done "https://www.openoffice.org/"; should return: >> Strict-Transport-Security: max-age=2592000; includeSubDomains > > I assume that using sub-domains variant is OK, because there is a > wildcard certificate. > > And after all that, the grade on SSL Labs test should be upgraded to > A+ 🙂 > > Cheers, > Nux. > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] >
smime.p7s
Description: S/MIME Cryptographic Signature
