docker-nginx-auto-ssl icon indicating copy to clipboard operation
docker-nginx-auto-ssl copied to clipboard

Published 20 hours ago verified publisher icon Valian

enable HSTS be default

Open pperzyna opened this issue 5 years ago • 1 comments

What do you think about enabling HSTS as the default?

pperzyna avatar Feb 20 '20 13:02 pperzyna

Cześć @pperzyna ;)

HSTS is great, but it's also dangerous - you can't easily turn it off since it's saved locally in users' browsers. People who just want to have SSL doesn't really care about this until it's too late.

I've deliberately made it optional because I've seen many problems caused by turning it on too early. For example, if someone is just testing and misconfigured something (for example, not using volumes correctly), he can easily hit a weekly limit of 5 LE certificates renewals. Or someone would like to just "check if it works", but for some reason will decide to not use it. Enabled HSTS by default makes all of these situations hard to go back.

On the other hand, currently enabling it requires image rebuild. Maybe you could submit a PR introducing ENV variable making it possible to easily turn it on?

Valian avatar Feb 22 '20 16:02 Valian