Reyk Floeter wrote: > On Fri, Jul 17, 2015 at 08:20:11PM -0400, Ted Unangst wrote: > > Florian Obser wrote: > > > OK? > > > > > > diff --git httpd.conf.5 httpd.conf.5 > > > index b3eaad8..bfca29f 100644 > > > --- httpd.conf.5 > > > +++ httpd.conf.5 > > > @@ -262,6 +262,18 @@ root directory of > > > .Xr httpd 8 > > > and defaults to > > > .Pa /run/slowcgi.sock . > > > +.It Ic hsts Oo Ar option Oc > > > +Enable HTTP Strict Transport Security. > > > > Why this, but not also e.g. Public-Key-Pins or Content-Security? > > > > I think this quickly turns into a call for a generic add-header mechanism. > > > > HSTS is a good thing and widely pushed, eg. by Google, in an effort to > enforce HTTPS over HTTP. It is a useful security option and florian's > implementation let's us enable it with one simple statement: "hsts". > > If we ever find out that we'd also do other things like > Content-Security, we'll consider adding them as well.
well, here's one list of headers that people may wish to use. https://www.owasp.org/index.php/List_of_useful_HTTP_headers there are many similar "top five headers you need to use today!" lists and blogs and such. hsts isn't unique. the key pinning and frame options headers are also widely recommended.
