Tobias asked:
>
> the case in question is: does HSTS with max-age=0 and includeSubDomains
> mean you remove the HSTS flag (entry) for the subDomains as well ?
If you mean to ask whether a UA receiving this header from example.com..
Strict-Transport-Security: max-age=0; includeSubDomains
..affects any _entries_ the UA may have in its HSTS list for subdomains of
example.com, the answer is "no".
Also, receipt of the below header should be treated by the UA the same as
receipt of the above header (where both headers are received from example.com)..
Strict-Transport-Security: max-age=0
The intention is that receipt of an HSTS header field with "max-age=0" is
treated the same regardless of the presence or absence of the includeSubDomains
flag in the header field. The effect in both cases is to remove the entire entry
for "example.com" from the UA's HSTS host list.
In other words, the UA maintains HSTS information indexed by hostname, and must
receive an STS header from a given host (over a secure connection) in order to
create, update, or delete HSTS info about the given host.
HTH,
=JeffH
_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec
