pshtt
pshtt copied to clipboard
Incorrect calculation for "Enforces HTTPS"
🐛 Bug Report
A clear and concise description of what the bug is.
To Reproduce
Steps to reproduce the behavior:
Install pshtt on CentOS 7.7. Run test against desired site with known Valid HTTPS and Defaults to HTTPS
Expected behavior
A given site returns "Valid HTTPS=True" and "Defaults to HTTPS=True", so "Domain Enforces HTTPS" should be True.
I support a federal agency...according to what's been published, pshtt is supposed to calculate "Domain Enforces HTTPS" based on (Domain Supports HTTPS=True AND (Defaults to HTTPS=True OR (Strictly Forces HTTPS=True AND Redirect=True))). If this logic is correct, then any domain with Valid HTTPS=True and Defaults to HTTPS=True should return True for Domain Enforces HTTPS, regardless of the values for Strictly Forces HTTPS and Redirect.
Test site was "list.ahrq.gov".
Any helpful log output
Paste the results here:
Remember that it checks [site].[tld] as well as [www].[site].[tld]. http://www.list.ahrq.gov returns a 404, it doesn’t 3xx redirect to https. Neil
From: mpreissner [email protected] Sent: Friday, November 8, 2019 8:51 AM To: cisagov/pshtt [email protected] Cc: Subscribed [email protected] Subject: [cisagov/pshtt] Incorrect calculation for "Enforces HTTPS" (#207)
🐛 Bug Report
A clear and concise description of what the bug is.
To Reproduce
Steps to reproduce the behavior:
Install pshtt on CentOS 7.7. Run test against desired site with known Valid HTTPS and Defaults to HTTPS
Expected behavior
A given site returns "Valid HTTPS=True" and "Defaults to HTTPS=True", so "Domain Enforces HTTPS" should be True.
I support a federal agency...according to what's been published, pshtt is supposed to calculate "Domain Enforces HTTPS" based on (Domain Supports HTTPS=True AND (Defaults to HTTPS=True OR (Strictly Forces HTTPS=True AND Redirect=True))). If this logic is correct, then any domain with Valid HTTPS=True and Defaults to HTTPS=True should return True for Domain Enforces HTTPS, regardless of the values for Strictly Forces HTTPS and Redirect.
Test site was "list.ahrq.gov".
Any helpful log output
Paste the results here:
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHubhttps://github.com/cisagov/pshtt/issues/207?email_source=notifications&email_token=AKUO3SOVKWY2QY4WTCS7KODQSVVENA5CNFSM4JKXPS4KYY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4HX66VZA, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AKUO3SJGC35S4WNCH3EDOSLQSVVENANCNFSM4JKXPS4A.
Thanks Neil. If we simply get rid of the www 4th level domain, will that make the calculation come up as desired?
You're right, the documentation should be updated. https://github.com/cisagov/pshtt/pull/192 updated the logic for Domain Enforces HTTPS to also require Strictly Forces HTTPS to be True.