HSTS preload

Strict-Transport-Security: ヘッダー preload 指令 (HTTP)

仕様書

意味

[1] ホストprelodable HSTS host であるとは、 既知HSTSホストドメイン名一致を適用した時、 includeSubDomains 指令preload 指令の両方を含む既知HSTSホスト超ドメイン一致するか、 preload 指令を含む既知HSTSホスト合同一致することをいいます >>7

実装

[2] HTTP Strict Transport Security - Web security | MDN ( 版) https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security
preload Optional
See Preloading Strict Transport Security for details. Not part of the specification.
[3] HSTS Preload Submission ( 版) https://hstspreload.appspot.com/

Note that the preload flag in the HSTS header is required to confirm and authenticate your submission to the preload list. An example valid HSTS header:

Strict-Transport-Security: max-age=10886400; includeSubDomains; preload

[4] http/transport_security_state_static.json - chromium/src/net - Git at Google ( 版) https://chromium.googlesource.com/chromium/src/net/+/master/http/transport_security_state_static.json

[5] 意味もわからず HSTS Preload に登録して、サブドメインに接続できなくなったなどと困っている人もいるようです。 includeSubDomainspreload をヘッダーに明示的に指定しないとそうはならないはずですから、 どこかの解説サイトから理解せずにコピペして登録したのですかね。。。

[8] #16584 (HSTS preload list out of date?) – Tor Bug Tracker & Wiki ( 版) https://trac.torproject.org/projects/tor/ticket/16584

[9] nsSTSPreloadList.inc - DXR ( 版) https://dxr.mozilla.org/mozilla-central/source/security/manager/ssl/nsSTSPreloadList.inc

[10] HSTS Preload List Submission () https://hstspreload.org/

If you maintain a project that provides HTTPS configuration advice or provides an option to enable HSTS, do not include the preload directive by default. We get regular emails from site operators who tried out HSTS this way, only to find themselves on the preload list by the time they find they need to remove HSTS to access certain subdomains.

[11] Preloading HSTS | Mozilla Security Blog () https://blog.mozilla.org/security/2012/11/01/preloading-hsts/

We limit the list to hosts that send a large max-age under the assumption that these sites will not revert to non-HSTS status. However, this may become necessary. Suppose ownership of a domain on the preload list is transferred and the new owner decides to no longer use HSTS. The HSTS spec allows the site to send a header with the directive “max-age=0”. This indicates that HSTS should not be enforced for that host, and the browser would honor this. The preload list must replicate this behavior.

To accomplish this task, we introduce the concept of “knockout” entries in our HSTS implementation. When the browser receives an HSTS header with “max-age=0”, a knockout entry is stored that overrides the corresponding entry in the preload list. The knockout entry essentially says, “We have no HSTS information regarding this host.” As a result, the browser behaves as if the host were not on the preload list.

[55] Google Developers Japan: ウェブ上の安全なアプリのホーム、.app のご紹介 () https://developers-jp.googleblog.com/2018/05/introducing-app-more-secure-home-for.html

[12] 853934 - Some captive portals are using 1.1.1.1 and breaking because it's HSTS preloaded - chromium - Monorail () https://bugs.chromium.org/p/chromium/issues/detail?id=853934

[13] net/http/transport_security_state_static.json - chromium/src - Git at Google () https://chromium.googlesource.com/chromium/src/+/master/net/http/transport_security_state_static.json

[14] chromium/hstspreload.org: Chromium's HSTS preload list submission website. () https://github.com/chromium/hstspreload.org

[15] chromium/hstspreload: 🔒🔍 A Go package to scan sites against requirements for Chromium-maintained HSTS preload list. () https://github.com/chromium/hstspreload