Incorrect calculation for "Enforces HTTPS" #207
Comments
|
Remember that it checks [site].[tld] as well as [www].[site].[tld]. http://www.list.ahrq.gov returns a 404, it doesn’t 3xx redirect to https.
Neil
From: mpreissner <[email protected]>
Sent: Friday, November 8, 2019 8:51 AM
To: cisagov/pshtt <[email protected]>
Cc: Subscribed <[email protected]>
Subject: [cisagov/pshtt] Incorrect calculation for "Enforces HTTPS" (#207)
🐛 Bug Report
A clear and concise description of what the bug is.
To Reproduce
Steps to reproduce the behavior:
Install pshtt on CentOS 7.7.
Run test against desired site with known Valid HTTPS and Defaults to HTTPS
Expected behavior
A given site returns "Valid HTTPS=True" and "Defaults to HTTPS=True", so "Domain Enforces HTTPS" should be True.
I support a federal agency...according to what's been published, pshtt is supposed to calculate "Domain Enforces HTTPS" based on (Domain Supports HTTPS=True AND (Defaults to HTTPS=True OR (Strictly Forces HTTPS=True AND Redirect=True))). If this logic is correct, then any domain with Valid HTTPS=True and Defaults to HTTPS=True should return True for Domain Enforces HTTPS, regardless of the values for Strictly Forces HTTPS and Redirect.
Test site was "list.ahrq.gov".
Any helpful log output
Paste the results here:
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub<#207?email_source=notifications&email_token=AKUO3SOVKWY2QY4WTCS7KODQSVVENA5CNFSM4JKXPS4KYY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4HX66VZA>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AKUO3SJGC35S4WNCH3EDOSLQSVVENANCNFSM4JKXPS4A>.
|
|
Thanks Neil. If we simply get rid of the www 4th level domain, will that make the calculation come up as desired? |
|
You're right, the documentation should be updated. #192 updated the logic for Domain Enforces HTTPS to also require Strictly Forces HTTPS to be True. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
🐛 Bug Report
A clear and concise description of what the bug is.
To Reproduce
Steps to reproduce the behavior:
Install pshtt on CentOS 7.7.
Run test against desired site with known Valid HTTPS and Defaults to HTTPS
Expected behavior
A given site returns "Valid HTTPS=True" and "Defaults to HTTPS=True", so "Domain Enforces HTTPS" should be True.
I support a federal agency...according to what's been published, pshtt is supposed to calculate "Domain Enforces HTTPS" based on (Domain Supports HTTPS=True AND (Defaults to HTTPS=True OR (Strictly Forces HTTPS=True AND Redirect=True))). If this logic is correct, then any domain with Valid HTTPS=True and Defaults to HTTPS=True should return True for Domain Enforces HTTPS, regardless of the values for Strictly Forces HTTPS and Redirect.
Test site was "list.ahrq.gov".
Any helpful log output
Paste the results here:
The text was updated successfully, but these errors were encountered: