Check HSTS headers. 🔼

[09:17:08] <bb|hcb> In the mean time I have noticed that devuan.packet-gain.de (it is in the RR) forces HSTS and that makes it unusable from firefox

[09:20:01] mmm hsts isn't expected for deb.devuan.org hosts

[09:33:37] <bb|hcb> onefang: do you check for HSTS header in apt-panopticon?

[13:04:55] No I don't check HSTS headers in apt-panopticon.  I'll add a TODO.  Has anyone checked if that screws with apt itself?


Sledhjchisl uses HSTS.


reported=2021-12-15 03:18:15

reporter=onefang

priority=normal

category=Feature

severity=minor

resolution=open


2021-12-15 03:33:38 onefang: [13:22:37] <bb|hcb> HSTS is good for its purpose, but may create a problem in modern browsers... I believe that apt ignores that but this may (will most probably) change

[13:23:09] <bb|hcb> problem for http only sites like deb.

[13:26:07] Yes, that's why apt-panopticon marks "server changed HTTP to HTTPS" for deb.devuan.org mirrors as a FAIL.

[13:26:38] So HSTS should get the same result.

[13:26:54] <bb|hcb> if it does a redirect, yes; but hsts makes the client do the redirect itself and once received is quite sticky

[13:27:14] <bb|hcb> so both are bad for rr mirrors