[wp-trac] [WordPress Trac] #28521: FORCE_SSL constant for really forcing SSL
WordPress Trac
noreply at wordpress.org
Fri May 10 10:40:27 UTC 2019
#28521: FORCE_SSL constant for really forcing SSL
-------------------------------+-----------------------------
Reporter: johnbillion | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Future Release
Component: Security | Version:
Severity: normal | Resolution:
Keywords: needs-patch https | Focuses:
-------------------------------+-----------------------------
Comment (by iandunn):
Replying to [comment:18 westonruter]:
> 8. Add HSTS response header.
Is that safe to do by default? It seems like most users won't be aware of
the consequences, or understand them.
If they ever lose their SSL (by switching to a host that doesn't have
Let's Encrypt, deciding they don't want to pay for their host's SSL
upgrade anymore, experience technical difficulties renewing, etc), then
instead of the site (somewhat) gracefully downgrading to HTTP, return
browsers would continue redirecting to HTTPS for the remainder of the
`max-age`, and then throw up a big scary warning that the site isn't safe.
It seems like it may be something that's best left to experienced users to
intentionally configure after they've understood the requirements and
committed to the process. See the attachment below for the warning that
CloudFlare shows to users when they start to configure HSTS.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/28521#comment:21>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list