-
-
For me, the max-age value should be lowered and not be greater than 1 month.
ssllabs.com requires 180 days for getting an A+ rating.
-
-
-
The max-age should be as high as possible, because some websites will not be visited every day/week/month by the same person (e.g. if the visitor comes from google). So if you have a max-age of one month the HSTS feature is needless for some visitors. Because of that the max-age should be as high as possible. But again, the max-age will be variable in frontend, so every customer can select its prefered time.
-
-
-
Where did you find that requirement?
I tried my own website with max-age set below 15552000.
Then the test says Strict Transport Security (HSTS) [b]Yes[/b] max-age=15551999 [b]TOO SHORT (less than 180 days)[/b]
I'll send you an URL to my test.
-
-
Hey ya!
@Nuxwin thanks. So I'll use 307 for HSTS redirects to https and 301 as default. About the max-age, this param will be variable.
307 means it is a temporary redirect, this means that the next time a user would go to a HSTS-enabled website, it will retry connecting to the http://domain.tld. This would surpass the goal of htst... right?
I think it should be a permanent redirect (301). If you don't agree, let's see if 303 would work...
Anyhow, seeing the different opinions I think this should be a configurable option (by admin/reseller/user? let's talk about that, would it be beneficial for a user to change it, or maybe just reseller/admin).
I tried my own website with max-age set below 15552000.
Then the test says Strict Transport Security (HSTS) [b]Yes[/b] max-age=15551999 [b]TOO SHORT (less than 180 days)[/b]I'll send you an URL to my test.
People clearly have different needs, I myself would set it to a great value, maybe a year... This has some user implications, but lowering the value also surpasses the use of HSTS.
I think this should be configurable in the CP too, maybe not by the user, but on reseller/admin level. A user can screw up their website really easy by doing this...A note to our loved devvers: I think there should be a warning when enabling HSTS with the possible implications with a link to some documentation. (Maybe we should create a little (fancy, happy, beautiful) knowledge base so we can refer to it from the panel (either hosted in the panel itself or on i-mscp.net).
-
@theemstra as I understood 307 is recommend for HSTS. If the HSTS-flag is set for that domain, next time the customer will automatically get redirected to https, so a permanent redirect is not needed here (as I understood XD). The max-age variable will be setable on customer side (it's a customer task). We could add a info tooltip for that option, but a customer (mostly webdeveloper) should know what he's doing by activating HSTS...
-
When someone say: "ssllabs.com requires 180 days for getting an A+ rating.", I expects at least a reference