View Issue Details

IDProjectCategoryView StatusLast Update
0000389apt-panopticonFeaturepublic2021-12-15 03:33
Reporteronefang Assigned Toonefang  
PrioritynormalSeverityminorReproducibilityhave not tried
Status assignedResolutionopen 
Product Version0.1 
Summary0000389: Check HSTS headers.
Description[09:17:08] <bb|hcb> In the mean time I have noticed that devuan.packet-gain.de (it is in the RR) forces HSTS and that makes it unusable from firefox
[09:20:01] <rrq> mmm hsts isn't expected for deb.devuan.org hosts
[09:33:37] <bb|hcb> onefang: do you check for HSTS header in apt-panopticon?

[13:04:55] <onefang> No I don't check HSTS headers in apt-panopticon. I'll add a TODO. Has anyone checked if that screws with apt itself?
Additional InformationSledhjchisl uses HSTS.
TagsNo tags attached.

Activities

onefang

onefang

2021-12-15 03:33

administrator   ~0000529

[13:22:37] <bb|hcb> HSTS is good for its purpose, but may create a problem in modern browsers... I believe that apt ignores that but this may (will most probably) change
[13:23:09] <bb|hcb> problem for http only sites like deb.
[13:26:07] <onefang> Yes, that's why apt-panopticon marks "server changed HTTP to HTTPS" for deb.devuan.org mirrors as a FAIL.
[13:26:38] <onefang> So HSTS should get the same result.
[13:26:54] <bb|hcb> if it does a redirect, yes; but hsts makes the client do the redirect itself and once received is quite sticky
[13:27:14] <bb|hcb> so both are bad for rr mirrors

Issue History

Date Modified Username Field Change
2021-12-15 03:18 onefang New Issue
2021-12-15 03:18 onefang Status new => assigned
2021-12-15 03:18 onefang Assigned To => onefang
2021-12-15 03:33 onefang Note Added: 0000529