On Thu, Oct 27, 2011 at 11:03 AM, =JeffH <[email protected]> wrote: > I've been working with Julian on simplifying the STS header field syntax. > Here's where it's presently at -- thoughts? > > thanks again to Julian and Ryan for their earlier feedback. > > =JeffH > > > ### > > 5.1. Strict-Transport-Security HTTP Response Header Field > > The Strict-Transport-Security HTTP response header field indicates to > a UA that it MUST enforce the HSTS Policy in regards to the host > emitting the response message containing this header field. > > Note: this specification uses the augmented BNF (ABNF) notation from > Section 2 of [RFC2616], including its rules for "implied linear > whitespace (LWS)", and case-insensitivity of quoted-string literals. > > The ABNF syntax for the Strict-Transport-Security (STS) HTTP Response > Header field is: > > > Strict-Transport-Security = "Strict-Transport-Security" ":" > directive *( ";" [ directive ] ) > > > STS directives: > > directive = max-age | includeSubDomains | STS-d-ext > > max-age = "max-age" "=" delta-seconds > > includeSubDomains = "includeSubDomains" > > > The max-age directive MUST appear once in the Strict-Transport-Security > header field value. The includeSubDomains directive MAY appear once. > The order of appearance of directives in the Strict-Transport-Security > header field value is not significant. > > Additional directives extending the the semantic functionality of > the Strict-Transport-Security header field may be defined in other
MAY or might ? > specifications, using the STS directive extension point (STS-d-ext) > syntax: > > STS-d-ext = token [ "=" ( token | quoted-string ) ] > > > Defined in [RFC2616]: > > delta-seconds = <1*DIGIT, defined in [RFC2616], Section 3.3.2> > token = <token, defined in [RFC2616], Section 2.2> > quoted-string = <quoted-string, defined in [RFC2616], Section 2.2> > > > ### > > > > _______________________________________________ > websec mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/websec > _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
