I've implemented HSTS (HTTP Strict Transport Security) and need some feedback. Atm a customer can activate HSTS on certificate add/edit/remove page (/client/cert_view.php?domain_id=*&domain_type=*).
It's just possible to enable/disable HSTS for that domain. If enabled the apache/domain_ssl.tpl will have an entry like:
Header always set Strict-Transport-Security "max-age=31536000" (max-age=1year).
Now my questions:
- is the max-age ok? Or should it be configurable? If yes: between which values (e.g. just positiv values allowed)?
- Should I also add the param ; includeSubdomains; preload. If yes: optional (configurable) or fixed?
- If HSTS is enabled, should http://domain.tld automatically get redirected to https://domain.tld?
- If yes, fixed or optional?
- If yes, 301 redirect or still 302 redirect? Should we may then change completely to 301 redirects (also SEO friendly)
- Should I also add the HSTS rules for domain_disabled_ssl.tld & domain_redirect_ssl.tld?
PS: After your feedback + modifications I need testers. Then I'll merge "feature-hsts" branch into 1.2.x.