Re: [tor-mirrors] HSTS for a tor mirror

2 Jan 2018

      -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi Valentin

On 31.12.2017 16:31, Valentin Brandl wrote:
...
Hi there, > I'm starting to build a mirror for the tor project. The instructions
page states `Try not to redirect http to https. Many places in the
world > cannot use https due to local or national firewalls`. > > Since
there should be no redirect, should I also stop sending HSTS > headers
when the page is visited via https? Also should or shouldn't I > insert
my site into the HSTS preload list? I was asking myself the same
questions, when I setup my mirror.
Then I found this:
$ curl -is https://www.torproject.org/ | grep Strict-Transport-Security
Strict-Transport-Security: max-age=15768000; preload

Also, my own domain, where the mirror lives under, has
"includeSubdomains" enabled and is on the preload list. So unless I
change my whole domain setup with all its websites, its active anyway on
my mirror.

So I figured it might be left as an exercise to the user to disable HSTS
in his browser. Because if he lives or works behind such a proxy he will
be barred from more then half of the worlds websites by the end of the year.

Or maybe I should setup an entirely different domain with no TLS and
HSTS at all?

Re: [tor-mirrors] HSTS for a tor mirror

Alain Wolf