On Mon, May 7, 2018 at 9:54 PM, Yoav Nir <[email protected]> wrote: > Immutable meaning that the HSTS header is permanent and can never be > removed? So if a user agent has seen an immutable HSTS header once, that > site has to be (valid) HTTPS-only forever? > > Interesting idea.
FWIW, if anything, it should be about standardizing https://hstspreload.org/. That's already the widely adopted practice to mostly-immutable HSTS. (Not quite sure truly-immutable is feasible, other than using a TLD that has HSTS as policy. And even then TLDs get reassigned or disappear at times...) -- https://annevankesteren.nl/ _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
