Hi there, I realise that this proposal might be rather late in the process, but would it be possible to add a list of excluded subdomains in the STS header?
My use case is that I am setting up a new service which has the STS header set so that users might have a more secure experience. However, for the purposes of sending referrer path information to non-HTTPS sites, I have one subdomain which does redirects over plain HTTP, e.g. http://from.espra.com/some/referrer/path. In an ideal world, I would be able to set a comprehensive STS header which excluded just that one subdomain, e.g. Strict-Transport-Security: max-age=31536000; includeSubDomains; exclude=from.espra.com And since having an exclude implicitly suggests includeSubdomains, it could be shortened to just: Strict-Transport-Security: max-age=31536000; exclude=from.espra.com There are, of course, alternative solutions, e.g. using another domain for the HTTP redirect or setting STS on individual subdomains without specifying includeSubdomains. But this seems like it would be a more elegant and secure solution. Thank you for your time! -- All the best, tav plex:espians/tav | [email protected] | +44 (0) 7809 569 369 http://tav.espians.com | http://twitter.com/tav | skype:tavespian _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
