Skip to content

Clarification of language around HSTS #3364

Description

@tautology0

The wording around the max-age parameter of HSTS is needlessly ambiguous especially in 3.4.1:

Verify that a Strict‑Transport‑Security header field is included on all responses to enforce an HTTP Strict Transport Security (HSTS) policy. A maximum age of at least 1 year must be defined, and for L2 and up, the policy must apply to all subdomains as well.

The problem here is the use of "maximum age", the sentence can be parsed as the maximum value of the parameter or the maximum value of max-age. This all hooks on the words "... at least ...", if they're missed on a skim read the sentence has a different meaning. The sentence caused confusion for our internal advice, as we tried to work out what the best recommendation for HSTS was.

To make it totally unambiguous it would be better to rephrase it to be explicit, something like:

Verify that a Strict‑Transport‑Security header field is included on all responses to enforce an HTTP Strict Transport Security (HSTS) policy. The max-age parameter should be set to at least 31536000 (one year). For L2 and up, the policy must apply to all subdomains as well.

Metadata

Metadata

Assignees

No one assigned

    Labels

    4) proposal for reviewIssue contains clear proposal for add/change somethingV3 (prev V50)Group issues related to Web Frontend

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions