mirror/curl
2
0
Fork 0
mirror of https://github.com/curl/curl.git synced 2025-04-12 16:20:35 +08:00
Code Issues Packages Projects Releases Wiki Activity
curl/docs/HSTS.md
Daniel Stenberg 96ffb57040
docs: bring back ALTSVC.md and HSTS.md 
This partly reverts 0e06603b2318356ba78b2f

These file formats are not properly documented elsewhere, plus the
website uses these files to populate the documentation pages to which
users end up via the URLs that are mentioned within the alt-svc and hsts
files.

Fixes #15705
Reported-by: Jeffrey Bosboom
Closes #15706
2024-12-09 09:32:19 +01:00

1.2 KiB
Raw Permalink Blame History

HSTS support

HTTP Strict-Transport-Security. Added as experimental in curl 7.74.0. Supported "for real" since 7.77.0.

Standard

HTTP Strict Transport Security

Behavior

libcurl features an in-memory cache for HSTS hosts, so that subsequent HTTP-only requests to a hostname present in the cache gets internally "redirected" to the HTTPS version.

curl_easy_setopt() options:

  • CURLOPT_HSTS_CTRL - enable HSTS for this easy handle
  • CURLOPT_HSTS - specify filename where to store the HSTS cache on close (and possibly read from at startup)

curl command line options

  • --hsts [filename] - enable HSTS, use the file as HSTS cache. If filename is "" (no length) then no file is used, only in-memory cache.

HSTS cache file format

Lines starting with # are ignored.

For each hsts entry:

[host name] "YYYYMMDD HH:MM:SS"

The [host name] is dot-prefixed if it includes subdomains.

The time stamp is when the entry expires.

Possible future additions

  • CURLOPT_HSTS_PRELOAD - provide a set of HSTS hostnames to load first
  • ability to save to something else than a file