Sometimes there's HSTS with no HTTP
HTTPS redirect, sometimes the opposite. How hard is it to do both?
-
-
Replying to @durumcrustulum
I'm not sure I understand? IIRC, you are not supposed to set the header on the redirect from HTTP to HTTPS.
1 reply 0 retweets 0 likes -
Replying to @vcsjones
You serve the header with the HTTPS response. I've seen multiple services with just a redirect, or just HSTS on HTTPS response.
3 replies 0 retweets 0 likes -
Replying to @durumcrustulum @vcsjones
How about HSTS on just the *HTTP* response?
(There are 32 preloaded domains like that.)2 replies 0 retweets 2 likes -
How did they get on the list? Grandfathered old ones?
2 replies 0 retweets 0 likes -
They met the requirements once upon a time, I think.
1 reply 0 retweets 0 likes -
If Firefox's preload list works the same way it did three years ago, that means they aren't preloaded in Firefox and thus not HSTS there.
2 replies 0 retweets 0 likes -
Does Firefox confirm via HTTPS that HSTS is no longer served?
2 replies 0 retweets 1 like
At least as of a while ago, Firefox build infrastructure would rescan the sites on the list to verify they still meet preload requirements.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.