-
Notifications
You must be signed in to change notification settings - Fork 84
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
Need more exhaustive check to determine if an HSTS header will be ignored #205
Comments
Should this check just get blanketed under |
@konklone said in a different thread:
It is entirely possible that some sites will use non-public certs with HSTS and expect all internal clients to trust the non-public certs, so it is ok for them. If all the sites that are scanned will always be public-facing sites that the public should be accessing, then they should use publicly trusted certs, but I don't know that we can make that assumption. In that case, we probably can't not give credit for HSTS based on it being a self-signed cert or having a bad chain. In addition to the current check for a bad hostname, we could probably also not give HSTS credit if there is an expired certificate though. |
馃悰 Bug Report
Consider the function
hsts_check()
inpshtt/pshtt.py
. It's not just a bad hostname that should cause the HSTS header to be ignored. It is also ignored if the certificate is untrusted, for example. (See item 2 in the RFC.) Therefore I think that thisif
clause should be fleshed out a little more.We should be a little careful when making this change, since as @echudow pointed out in a separate pull request:
The text was updated successfully, but these errors were encountered: