diff options
| author | Daniel Stenberg <daniel@haxx.se> | 2021-02-10 22:54:33 +0100 |
|---|---|---|
| committer | Daniel Stenberg <daniel@haxx.se> | 2021-02-10 22:54:33 +0100 |
| commit | c386a0df441538ee4fbcf6e4bdac77abe5cc3e5d (patch) | |
| tree | 76da39a9971fe15fdbebad4f22cce61f8c0bfe32 | |
| parent | 89e572af82f0d12666fe843f2a7d1dd670500753 (diff) | |
| download | curl-c386a0df441538ee4fbcf6e4bdac77abe5cc3e5d.tar.gz | |
TODO: remove HSTS
Provided now since commit 7385610d0c74
| -rw-r--r-- | docs/TODO | 11 |
1 files changed, 0 insertions, 11 deletions
@@ -116,7 +116,6 @@ 13.9 TLS record padding 13.10 Support Authority Information Access certificate extension (AIA) 13.11 Support intermediate & root pinning for PINNEDPUBLICKEY - 13.12 Support HSTS 13.13 Make sure we forbid TLS 1.3 post-handshake authentication 13.14 Support the clienthello extension @@ -810,16 +809,6 @@ Adding this feature would make curls pinning 100% compatible to HPKP and allow more flexible pinning. -13.12 Support HSTS - - "HTTP Strict Transport Security" is TOFU (trust on first use), time-based - features indicated by a HTTP header send by the webserver. It is widely used - in browsers and it's purpose is to prevent insecure HTTP connections after a - previous HTTPS connection. It protects against SSLStripping attacks. - - Doc: https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security - RFC 6797: https://tools.ietf.org/html/rfc6797 - 13.13 Make sure we forbid TLS 1.3 post-handshake authentication RFC 8740 explains how using HTTP/2 must forbid the use of TLS 1.3 |