这是indexloc提供的服务,不要输入任何密码
Skip to content

exclude preload from hsts header #389

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Feb 13, 2022
Merged

exclude preload from hsts header #389

merged 1 commit into from
Feb 13, 2022

Conversation

@timlrx
Copy link
Owner

@timlrx timlrx commented Feb 13, 2022

Fix #304 (comment)

I think the best way to do it would be to keep the max-age and includeSubDomains but exclude preload by default.

To quote HSTS preload org:

If you maintain a project that provides HTTPS configuration advice or provides an option to enable HSTS, do not include the preload directive by default. We get regular emails from site operators who tried out HSTS this way, only to find themselves on the preload list by the time they find they need to remove HSTS to access certain subdomains. Removal tends to be slow and painful for those sites.

Without the preload option (MDN):

Should it be necessary to disable Strict Transport Security, setting the max-age to 0 (over an https connection) will immediately expire the Strict-Transport-Security header, allowing access via http.

@vercel
Copy link

vercel bot commented Feb 13, 2022
edited
Loading

This pull request is being automatically deployed with Vercel (learn more).
To see the status of your deployment, click below or on the icon next to each commit.

🔍 Inspect: https://vercel.com/timlrx/tailwind-nextjs-starter-blog/8Bfia43k4oDubveSuzr49FTY74Re
✅ Preview: https://tailwind-nextjs-starter-blog-git-hsts-timlrx.vercel.app

@timlrx timlrx merged commit 72ca086 into master Feb 13, 2022
@timlrx timlrx deleted the hsts branch February 19, 2022 04:55
Meez25 pushed a commit to Meez25/Blog that referenced this pull request Jun 17, 2024
@timlrx
Merge pull request timlrx#389 from timlrx/hsts
fba2da0 
exclude preload from hsts header
bhiwagade-rahul pushed a commit to bhiwagade-rahul/tailwind-nextjs-starter-blog that referenced this pull request Sep 22, 2025
@timlrx
Merge pull request timlrx#389 from timlrx/hsts
faca6c0 
exclude preload from hsts header
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add security HTTP response headers

2 participants

@timlrx