Conversation
Notices
-
What a fuck... Why do every script enforces #HSTS? What about if I want to install it somewhere on LAN with self-signed certificate??? Shouldn't HSTS be a WEBSERVER prerogative instead of application? >.< #killThoseBitches #mmnDontTakeItPersonally
-
@pztrn Until the cert system is fixed, self-signed is always going to be mistaken for malicious - unless you set up your own CA & trust. :(
-
It is not a point to enforce #HSTS on application level, anyway.
-
@windigo @pztrn The #CertAuthority system cannot be fixed. It is functioning as designed. We can only hope for replacement.
-
@pztrn I could agree with that - especially if your application lends itself to self-hosting.
-
I'm not talking about CA system, which is obviously shitty and corruptioned. I'm talking about enforcing #HSTS (HTTP Scrict Transport Security) on application level, like enforcing it in PHP scripts (examples: GNU social, ownCloud). It forces header despite on user choice (and NO information how to disable it in both's documentation).
-
https://tools.ietf.org/html/rfc6797#page-27
-
Not an excuse for HSTS-enforcing things :)
-
#HSTS works with self signed certs, I don't see the problem. Though I agree maybe includeSubDomains should be off by default.
-
Only if you have imported own CA. :(
-
@windigo You must be mistaken