I've been working with Julian on simplifying the STS header field syntax.
Here's where it's presently at -- thoughts?
thanks again to Julian and Ryan for their earlier feedback.
=JeffH
###
5.1. Strict-Transport-Security HTTP Response Header Field
The Strict-Transport-Security HTTP response header field indicates to
a UA that it MUST enforce the HSTS Policy in regards to the host
emitting the response message containing this header field.
Note: this specification uses the augmented BNF (ABNF) notation from
Section 2 of [RFC2616], including its rules for "implied linear
whitespace (LWS)", and case-insensitivity of quoted-string literals.
The ABNF syntax for the Strict-Transport-Security (STS) HTTP Response
Header field is:
Strict-Transport-Security = "Strict-Transport-Security" ":"
directive *( ";" [ directive ] )
STS directives:
directive = max-age | includeSubDomains | STS-d-ext
max-age = "max-age" "=" delta-seconds
includeSubDomains = "includeSubDomains"
The max-age directive MUST appear once in the Strict-Transport-Security
header field value. The includeSubDomains directive MAY appear once.
The order of appearance of directives in the Strict-Transport-Security
header field value is not significant.
Additional directives extending the the semantic functionality of
the Strict-Transport-Security header field may be defined in other
specifications, using the STS directive extension point (STS-d-ext)
syntax:
STS-d-ext = token [ "=" ( token | quoted-string ) ]
Defined in [RFC2616]:
delta-seconds = <1*DIGIT, defined in [RFC2616], Section 3.3.2>
token = <token, defined in [RFC2616], Section 2.2>
quoted-string = <quoted-string, defined in [RFC2616], Section 2.2>
###
_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec
