Eric Mill

> https://yourefired.usajobs.gov is not a host that OPM should be held accountable for So, it depends. What circumstances in trustymail make it reasonable to treat this differently from a deliberately...

The main reason I was considering meta redirects as possible is because in theory we should already have the HTML content from our requests to the site, and no more...

From #67: > I think we should add a conditional to the calculation that ensures that at least one of the endpoints is an external redirect. Something like: ```python #...

Just noting for myself and others that this is still an issue, and affects at least one second-level domain in exim.gov: https://s3-us-gov-west-1.amazonaws.com/cg-4adefb86-dadb-4ecf-be3e-f1c7b4f6d084/live/cache/pshtt/exim.gov.json EDIT: URL is now https://s3-us-gov-west-1.amazonaws.com/cg-4adefb86-dadb-4ecf-be3e-f1c7b4f6d084/live/cache/pshtt/exim.gov.json

Some examples of pathological HSTS situations as I find them: ``` $ curl --head --header "User-agent: Hey there" https://telework.gov HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-UA-Compatible: IE=edge X-Powered-By: ASP.NET Origin-Server: www1...

``` $ curl --head --insecure https://jamesmadison.gov HTTP/1.1 200 OK Date: Thu, 18 Aug 2016 17:45:09 GMT Server: Apache Vary: Accept-Encoding X-SA-Server: 1.apache.prod X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Strict-Transport-Security: includeSubDomains Connection:...

Here are the test cases I wrote for `site-inspector` that I would want to reproduce in a unit test suite here: https://github.com/benbalter/site-inspector/blob/erics-mode/test/test_hsts.rb

``` $ curl --head https://www.bnl.gov HTTP/1.1 302 Moved Temporarily Cache-Control: Private ... Strict-Transport-Security: 'max-age=10886400' ```

``` $ curl --head https://www.bop.gov HTTP/1.1 200 OK ... Strict-transport-security: max-age=31536000; includeSubDomains; preload ```

Just flagging that the priority here is higher, as fdic.gov is causing a crash during long-running scans.