On Fri, Jul 17, 2015 at 08:20:11PM -0400, Ted Unangst wrote: > Florian Obser wrote: > > OK? > > > > diff --git httpd.conf.5 httpd.conf.5 > > index b3eaad8..bfca29f 100644 > > --- httpd.conf.5 > > +++ httpd.conf.5 > > @@ -262,6 +262,18 @@ root directory of > > .Xr httpd 8 > > and defaults to > > .Pa /run/slowcgi.sock . > > +.It Ic hsts Oo Ar option Oc > > +Enable HTTP Strict Transport Security. > > Why this, but not also e.g. Public-Key-Pins or Content-Security? > > I think this quickly turns into a call for a generic add-header mechanism. >
HSTS is a good thing and widely pushed, eg. by Google, in an effort to enforce HTTPS over HTTP. It is a useful security option and florian's implementation let's us enable it with one simple statement: "hsts". If we ever find out that we'd also do other things like Content-Security, we'll consider adding them as well. Adding a generic header mechanism would make it utterly more complex, both from a useability and a implementation point of view. If we ever find the time and need for such mechanism, we can keep the existing hsts keywords as a higher layer on top of it. Reyk
