diff options
| author | Daniel Stenberg <daniel@haxx.se> | 2020-11-02 23:17:01 +0100 |
|---|---|---|
| committer | Daniel Stenberg <daniel@haxx.se> | 2020-11-03 16:08:42 +0100 |
| commit | 7385610d0c74c6a254fea5e4cd6e1d559d848c8c (patch) | |
| tree | 3b572bcf972062b7cc1315ac23fdb547e7216463 /docs/HSTS.md | |
| parent | 9f43b28f783cc8f7464492a0b5b9dd35c1625fde (diff) | |
| download | curl-7385610d0c74c6a254fea5e4cd6e1d559d848c8c.tar.gz | |
hsts: add support for Strict-Transport-Security
- enable in the build (configure)
- header parsing
- host name lookup
- unit tests for the above
- CI build
- CURL_VERSION_HSTS bit
- curl_version_info support
- curl -V output
- curl-config --features
- CURLOPT_HSTS_CTRL
- man page for CURLOPT_HSTS_CTRL
- curl --hsts (sets CURLOPT_HSTS_CTRL and works with --libcurl)
- man page for --hsts
- save cache to disk
- load cache from disk
- CURLOPT_HSTS
- man page for CURLOPT_HSTS
- added docs/HSTS.md
- fixed --version docs
- adjusted curl_easy_duphandle
Closes #5896
Diffstat (limited to 'docs/HSTS.md')
| -rw-r--r-- | docs/HSTS.md | 44 |
1 files changed, 44 insertions, 0 deletions
diff --git a/docs/HSTS.md b/docs/HSTS.md new file mode 100644 index 000000000..c3f08393c --- /dev/null +++ b/docs/HSTS.md @@ -0,0 +1,44 @@ +# HSTS support + +curl features **EXPERIMENTAL** support for the Strict-Transport-Security: HTTP +header. Added in curl 7.74.0 + +## Standard + +[HTTP Strict Transport Security](https://tools.ietf.org/html/rfc6797) + +## Behavior + +libcurl features an in-memory cache for HSTS hosts, so that subsequent +HTTP-only requests to a host name present in the cache will get internally +"redirected" to the HTTPS version. + +## `curl_easy_setopt()` options: + + - `CURLOPT_HSTS_CTRL` - enable HSTS for this easy handle + - `CURLOPT_HSTS` - specify file name where to store the HSTS cache on close + (and possibly read from at startup) + +## curl cmdline options + + - `--hsts [filename]` - enable HSTS, use the file as HSTS cache. If filename + is `""` (no length) then no file will be used, only in-memory cache. + +## HSTS cache file format + +Lines starting with `#` are ignored. + +For each hsts entry: + + [host name] "YYYYMMDD HH:MM:SS" + +The `[host name]` is dot-prefixed if it is a includeSubDomain. + +The time stamp is when the entry expires. + +I considered using wget's file format for the HSTS cache. However, they store the time stamp as the epoch (number of seconds since 1970) and I strongly disagree with using that format. Instead I opted to use a format similar to the curl alt-svc cache file format. + +## Possible future additions + + - `CURLOPT_HSTS_PRELOAD` - provide a set of preloaded HSTS host names + - ability to save to something else than a file |