top | item 36284355

(no title)

theobeers | 2 years ago

I wonder why Cloudflare still recommends a value of 6 months (15552000 seconds) for Max-Age in the HSTS header, when that isn't enough to qualify for Google's preload list. They do acknowledge this problem in their docs, but (afaik) without explaining why they've stuck with 6 months as the default and recommended value.

discuss

8organicbits|2 years ago

I suspect well written docs avoid pushing HSTS and HSTS preload too hard. On first pass it sounds like a great security tool, so people rush to enable it, but then many have issues. When your HSTS preload setting gets hardcoded into a browser, you can't remove it. You've got to wait for all your users to update.

I think the Cloudflare recommendation is based on the Qualys tool, which uses six months as their recommendation. Interestingly, Twitter is using 631138519 seconds (20 years) for their setting, so they are extra confident.