-
Notifications
You must be signed in to change notification settings - Fork 9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
expire hsts cache & invert ssl redirect #6
Comments
I'm not quite sure what your code is supposed to be doing. Your (Also, it's "insecure" rather than "unsecure" - unfortunately English is pretty inconsistent that way.) |
Thanks. I just fixed the lexical error, and added a missing helper function.
|
Furthermore, If I used |
I mean "first request" above as a request made after the request that was used by |
I still don't see the point of (wrap-hsts handler {:max-age 0}) I'm also not sure what the benefit of |
Thanks, I didn't remember Circumstances I create an SSL certificate with StartSSL™. Then there are two circumstances:
It's not just about the previous users cache. Also, all google links in search results are https at the moment. And google takes it's time. Maybe some days, maybe weeks.. to update the results to http. It's true that majors players in the browser market are making a huge effort to make https everywhere. But one thing is vision, another thing is reality and choice. We still have to wait for letsencrypt.org to become public on 3 of December, and even then, we don't know for sure what the market's response will be. |
Seems like the market response was very positive. |
Say I use
wrap-ssl-redirect
for the case the user loads a website using http to get him redirected to the https version. I also usewrap-hsts
for the second time and so on, so that when the user tries to access the website using http, it is immediately converted to https before sending the request.Then it happens that my new ssl certificate is unsecure and browsers start complaining. Many former users are still accessing the website via https, which will take them to a security page first. To make matters worse, even if they do use http, the link will immediately be converted to https due to the hsts cache.
To solve these issues, I came up with this:
Is there an easier way to solve this? If not, how about including this use case in
ring-ssl
along the lines of undoing ssl?The text was updated successfully, but these errors were encountered: