[websec] Re: RFC6797: Adding HSTS on an established/legacy domain in an enterprise

Fri, 21 Mar 2025 12:58:15 -0700 


On 3/3/2025 9:15 AM, Gunnar Guðvarðarson wrote:

Hey,

As you might well be aware, adding HSTS on an established, legacy domain in an 
enterprise is not popular, and most of the time blocked by legacy ... reasons.

I would like to propose an addition to RFC6797, a "-Report-Only" header alternative 
to the existing header, that while it would not actually enforce HSTS, it would instead report 
potential failures of the HSTS policy to the configured 
NEL<https://w3c.github.io/network-error-logging/#secure-connection-establishment-errors>.




Thanks for sharing your idea. However, I'm no longer active in the IETF 
and am not contributing to such work.  (and rarely reading email at this 
address)



Also, the "need" for HSTS is decreasing as browsers now support 
"HTTPS-first" behavior along with the mass adoption of HTTPS fostered by 
Lets Encrypt.  (HSTS was/is a stopgap tool).



Though, if you wish to pursue this, the way to do it is to propose it on 
the [email protected] mailing list and write an internet-draft.


I hope this helps,

JeffH






Examples:
report-to: 
{"group":"default","max_age":31536000,"endpoints":[{"url":"https://example.com/reports"}],"include_subdomains":true}
nel: 
{"report_to":"default","max_age":31536000,"include_subdomains":true,"failure_fraction":1.0}

strict-transport-security-report-only: max-age=31536000; includesubdomains
Or
strict-transport-security-report-only: max-age=31536000; includesubdomains; 
report-to=default

Or a mix of enforcement for apex and reporting for subdomains, strictest policy 
always wins, so if a subdomain already has HSTS enforced, use that.
strict-transport-security: max-age=31536000
strict-transport-security-report-only: max-age=31536000; includesubdomains

Applying this should be fearless, since nothing changes except reports are 
generated, and after running that for a few months or years, and fixing any 
reports, you can be confident when actually enabling HSTS enforcement.

Kveðja / Regards,
Gunnar Guðvarðarson
Öryggissérfræðingur | Principal Security Engineer
Skilmálar / DisclaimerLagalegur fyrirvari tölvupósts / E-mail disclaimer


_______________________________________________
websec mailing list -- [email protected]
To unsubscribe send an email to [email protected]














    











					Reply via email to