-
Notifications
You must be signed in to change notification settings - Fork 80
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Incorrect calculation for "Enforces HTTPS" #207
Comments
Remember that it checks [site].[tld] as well as [www].[site].[tld]. http://www.list.ahrq.gov returns a 404, it doesn’t 3xx redirect to https.
Neil
From: mpreissner <[email protected]>
Sent: Friday, November 8, 2019 8:51 AM
To: cisagov/pshtt <[email protected]>
Cc: Subscribed <[email protected]>
Subject: [cisagov/pshtt] Incorrect calculation for "Enforces HTTPS" (#207)
🐛 Bug Report
A clear and concise description of what the bug is.
To Reproduce
Steps to reproduce the behavior:
Install pshtt on CentOS 7.7.
Run test against desired site with known Valid HTTPS and Defaults to HTTPS
Expected behavior
A given site returns "Valid HTTPS=True" and "Defaults to HTTPS=True", so "Domain Enforces HTTPS" should be True.
I support a federal agency...according to what's been published, pshtt is supposed to calculate "Domain Enforces HTTPS" based on (Domain Supports HTTPS=True AND (Defaults to HTTPS=True OR (Strictly Forces HTTPS=True AND Redirect=True))). If this logic is correct, then any domain with Valid HTTPS=True and Defaults to HTTPS=True should return True for Domain Enforces HTTPS, regardless of the values for Strictly Forces HTTPS and Redirect.
Test site was "list.ahrq.gov".
Any helpful log output
Paste the results here:
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub<#207?email_source=notifications&email_token=AKUO3SOVKWY2QY4WTCS7KODQSVVENA5CNFSM4JKXPS4KYY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4HX66VZA>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AKUO3SJGC35S4WNCH3EDOSLQSVVENANCNFSM4JKXPS4A>.
|
Thanks Neil. If we simply get rid of the www 4th level domain, will that make the calculation come up as desired? |
You're right, the documentation should be updated. #192 updated the logic for Domain Enforces HTTPS to also require Strictly Forces HTTPS to be True. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
🐛 Bug Report
A clear and concise description of what the bug is.
To Reproduce
Steps to reproduce the behavior:
Install pshtt on CentOS 7.7.
Run test against desired site with known Valid HTTPS and Defaults to HTTPS
Expected behavior
A given site returns "Valid HTTPS=True" and "Defaults to HTTPS=True", so "Domain Enforces HTTPS" should be True.
I support a federal agency...according to what's been published, pshtt is supposed to calculate "Domain Enforces HTTPS" based on (Domain Supports HTTPS=True AND (Defaults to HTTPS=True OR (Strictly Forces HTTPS=True AND Redirect=True))). If this logic is correct, then any domain with Valid HTTPS=True and Defaults to HTTPS=True should return True for Domain Enforces HTTPS, regardless of the values for Strictly Forces HTTPS and Redirect.
Test site was "list.ahrq.gov".
Any helpful log output
Paste the results here:
The text was updated successfully, but these errors were encountered: