-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Hi Valentin
On 31.12.2017 16:31, Valentin Brandl wrote:
Hi there, > I'm starting to build a mirror for the tor project. The instructions page states `Try not to redirect http to https. Many places in the
world > cannot use https due to local or national firewalls`. > > Since there should be no redirect, should I also stop sending HSTS > headers when the page is visited via https? Also should or shouldn't I > insert my site into the HSTS preload list? I was asking myself the same questions, when I setup my mirror. Then I found this:
$ curl -is https://www.torproject.org/ | grep Strict-Transport-Security Strict-Transport-Security: max-age=15768000; preload
Also, my own domain, where the mirror lives under, has "includeSubdomains" enabled and is on the preload list. So unless I change my whole domain setup with all its websites, its active anyway on my mirror.
So I figured it might be left as an exercise to the user to disable HSTS in his browser. Because if he lives or works behind such a proxy he will be barred from more then half of the worlds websites by the end of the year.
Or maybe I should setup an entirely different domain with no TLS and HSTS at all?