hstspreload
hstspreload copied to clipboard
chromium
ππ A Go package to scan sites against requirements for Chromium-maintained HSTS preload list.
The user agent for hstspreload requests is generic `user-agent: Go-http-client/2.0` Can this be set to something specific to identify the bot? This would enable server admins to whitelist the bot...
Because `MaxAge.Seconds` has type `uint64`, its value cannot be negative.
The warning for a max-age > 10 years does not currently explain why that may be an issue. Explanatory text added.
https://cs.chromium.org/chromium/src/net/url_request/url_request.h?sq=package:chromium&dr=C&g=0&l=137 sets the redirect limit in chrome, based on the Fetch spec.
There are a few .app domains on the preload list, but the entire app TLD is preloaded. We should reject these submissions because they're already covered by the TLD entry.
Some of the test cases in redirects_test.go and domain_test.go rely on the behavior of external domains. For some of these tests, that behavior has changed and the tests are no...
Testing [1.1.1.1](https://hstspreload.org/?domain=1.1.1.1) returns that itβs a subdomain, even though itβs actually an IP address and therefore it should be preloadable. Same happens with [1.0.0.1](https://hstspreload.org/?domain=1.0.0.1). The IPv6 adresses of [2606:4700:4700::1111](https://hstspreload.org/api/v2/preloadable?domain=2606:4700:4700::1111) and...
Today marks the second time I've received a submission that was rejected because [the Go public suffix package](https://github.com/golang/net/blob/master/publicsuffix/table.go) was out of date. We could: - Try to get the Go...
The HSTS preload checker currently requires an internal redirect before an external redirect:  In this case, the domain in question (`greengov.gov`) always redirects immediately to `https://www.whitehouse.gov/greengov/`,...
I don't know much about Go, but the old code definitely looks wrong.
