Thread: HSTS preload for fastmail.com
View Single Post
Old 1 Oct 2015, 09:12 PM   #6
robn
Master of the @
 
Join Date: May 2012
Location: Melbourne, Australia
Posts: 1,007

Representative of:
Fastmail.fm
Quote:
Originally Posted by n5bb View Post
Rob, could you come up with a system to force HSTS (ideally preloaded) for https: links to Fastmail file storage? Currently the user link becomes a subpath under https://user.fm/, and I don't think that any HSTS is used for that domain. See this EMD thread.
All HSTS does is force a browser to use the HTTPS variant when HTTP is requested. In the scenario described in the other case, the concern is over a user fiddling the URL to go to the domain version of the site, which doesn't have a HTTPS variant. HSTS wouldn't help there.

We could set up HSTS to force http://user.fm/... to go to https://user.fm/..., but I'd need to think about it a bit first and study the access logs to understand what the impacts might be. That's not a high priority for me right now.
Last edited by robn : 2 Oct 2015 at 08:00 AM.
robn is offline   Reply With Quote