Update Caddyfile - enable HSTS #419
Conversation
|
|
inetol
left a comment
There was a problem hiding this comment.
Please comment this security feature.
Caddyfile
Outdated
| X-Robots-Tag "noindex, nofollow, noarchive, nositelinkssearchbox, nosnippet, notranslate, noimageindex" | ||
|
|
||
| # enable HSTS | ||
| Strict-Transport-Security max-age=15768000; |
There was a problem hiding this comment.
The reason this option was removed in commits later is that HSTS is not for everyone by default. As MDN:
Once this value is set, the site must continue to support HTTPS until the expiry time is reached.
Client can no longer access the site if you decide (as the host) to use HTTP proto only, unless the client also voids the HSTS timer on their browser.
|
I have commented it out |
|
The other option would be to use value like 300 seconds, as it would still be possible to get an A+ score with this value. |
The Observatory rating can change at any time, so we shouldn't focus too much on that, but rather on giving a middle ground. HSTS with age values lower than 1 month doesn't make sense, 6 months seems pretty reasonable to me and is just enough to get a neutral rating. |
HSTS is required to achieve a good score in the Mozilla Observatory test (https://developer.mozilla.org/en-US/observatory/analyze), which is one of the criteria on the https://searx.space instance list.
Caddyfile has been updated to enable the HTTP Strict Transport Security, with six months cache.
Best regards,
Maciej Błędkowski