TODO: remove HSTS

Provided now since commit 7385610d0c
This commit is contained in:
Daniel Stenberg 2021-02-10 22:54:33 +01:00
parent 89e572af82
commit c386a0df44
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2

View File

@ -116,7 +116,6 @@
13.9 TLS record padding 13.9 TLS record padding
13.10 Support Authority Information Access certificate extension (AIA) 13.10 Support Authority Information Access certificate extension (AIA)
13.11 Support intermediate & root pinning for PINNEDPUBLICKEY 13.11 Support intermediate & root pinning for PINNEDPUBLICKEY
13.12 Support HSTS
13.13 Make sure we forbid TLS 1.3 post-handshake authentication 13.13 Make sure we forbid TLS 1.3 post-handshake authentication
13.14 Support the clienthello extension 13.14 Support the clienthello extension
@ -810,16 +809,6 @@
Adding this feature would make curls pinning 100% compatible to HPKP and Adding this feature would make curls pinning 100% compatible to HPKP and
allow more flexible pinning. allow more flexible pinning.
13.12 Support HSTS
"HTTP Strict Transport Security" is TOFU (trust on first use), time-based
features indicated by a HTTP header send by the webserver. It is widely used
in browsers and it's purpose is to prevent insecure HTTP connections after a
previous HTTPS connection. It protects against SSLStripping attacks.
Doc: https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security
RFC 6797: https://tools.ietf.org/html/rfc6797
13.13 Make sure we forbid TLS 1.3 post-handshake authentication 13.13 Make sure we forbid TLS 1.3 post-handshake authentication
RFC 8740 explains how using HTTP/2 must forbid the use of TLS 1.3 RFC 8740 explains how using HTTP/2 must forbid the use of TLS 1.3