Re: [websec] Comments on "I am testing HSTS"-directive and Issue #41 add parameter "hardfail=no"?

=JeffH <> Wed, 20 June 2012 17:53 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D44C121F870F for <>; Wed, 20 Jun 2012 10:53:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -102.495
X-Spam-Status: No, score=-102.495 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, GB_I_INVITATION=-2, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id uMhFmsrWQ79I for <>; Wed, 20 Jun 2012 10:53:16 -0700 (PDT)
Received: from ( [IPv6:2605:dc00:100:2::a1]) by (Postfix) with SMTP id 16AD421F86F0 for <>; Wed, 20 Jun 2012 10:53:15 -0700 (PDT)
Received: (qmail 6526 invoked by uid 0); 20 Jun 2012 17:53:15 -0000
Received: from unknown (HELO ( by with SMTP; 20 Jun 2012 17:53:15 -0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;; s=default; h=Content-Transfer-Encoding:Content-Type:Subject:To:MIME-Version:From:Date:Message-ID; bh=HjQ7P5fzMxZEgrdlM7K5YgMe637JDHh/fXppejvw7Xs=; b=ScBFM/ySu+5IdvFT8Qdp369kf3i86p6xrLYxNRkI+cCBVc3TZISuD/CyYbv8gQ9LGUHGp4M7b0uWOfQAJwMIUJLomvSn2Rm7tATC56RCw/HBLP/hTxcJn5jW8nEssou6;
Received: from [] (port=11047 helo=[]) by with esmtpsa (TLSv1:CAMELLIA256-SHA:256) (Exim 4.76) (envelope-from <>) id 1ShP5e-0001sr-Uw for; Wed, 20 Jun 2012 11:53:14 -0600
Message-ID: <>
Date: Wed, 20 Jun 2012 10:53:14 -0700
From: =JeffH <>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20120430 Thunderbird/12.0.1
MIME-Version: 1.0
To: IETF WebSec WG <>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Identified-User: {} {sentby:smtp auth authed with}
Subject: Re: [websec] Comments on "I am testing HSTS"-directive and Issue #41 add parameter "hardfail=no"?
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 20 Jun 2012 17:53:17 -0000


Tobias wrote..
 > I would like to ask for feedback/opinions from the WG on this draft
 > regarding the following open issue:
 > - in Paris  we had a discussion about whether HSTS header should specify
 > a "I am testing HSTS" directive. There was some support for this in the
 > room but no consensus.

ptr to meeting minutes below at [1].

 > I would like to make a final invitation for comments/views/opinions on this?

Please also note that I comment on this near the end of this recent message..

Re: [websec] Issue #41 add parameter indicating whether to hardfail or not

Here's what I wrote in that msg:

In the Paris WG session, the discussion of the above morphed to thinking about 
having a new "this site is testing HSTS" directive.

In thinking about this, we don't think it is really necessary because if one 
declares one's web app as being HSTS, one can watch server logs to see if any 
requests come in over plain http, and then go track those issues down. You 
don't really need the user agent's help to figure out what is happening. It's 
just going to mechanically transform all http URIs pointing to your site into 
https ones, and try to load them, and if they 404, you'll know it (via your logs).

It's arguably different with Content Security Policy (CSP) -- which is where 
the discussed notion came from ("report-only") -- because in CSP, the user 
agent is enforcing policy on loaded content within itself and there may be no 
other way to figure out what it's doing.

 > - And as this is somehow related:
 > the still open #41: should HSTS have an option like "hardfail=no"?
 > Our meeting discussion in Paris did not show consensus in support of this.

And I commented on that in the beginning of the above-mentioned message.



 > and just in case anyone wants to read up on our meeting minutes from Paris: