summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorDaniel Stenberg <daniel@haxx.se>2021-02-10 22:54:33 +0100
committerDaniel Stenberg <daniel@haxx.se>2021-02-10 22:54:33 +0100
commitc386a0df441538ee4fbcf6e4bdac77abe5cc3e5d (patch)
tree76da39a9971fe15fdbebad4f22cce61f8c0bfe32 /docs
parent89e572af82f0d12666fe843f2a7d1dd670500753 (diff)
downloadcurl-c386a0df441538ee4fbcf6e4bdac77abe5cc3e5d.tar.gz
TODO: remove HSTS
Provided now since commit 7385610d0c74
Diffstat (limited to 'docs')
-rw-r--r--docs/TODO11
1 files changed, 0 insertions, 11 deletions
diff --git a/docs/TODO b/docs/TODO
index 2f54085aa..004b4e52a 100644
--- a/docs/TODO
+++ b/docs/TODO
@@ -116,7 +116,6 @@
13.9 TLS record padding
13.10 Support Authority Information Access certificate extension (AIA)
13.11 Support intermediate & root pinning for PINNEDPUBLICKEY
- 13.12 Support HSTS
13.13 Make sure we forbid TLS 1.3 post-handshake authentication
13.14 Support the clienthello extension
@@ -810,16 +809,6 @@
Adding this feature would make curls pinning 100% compatible to HPKP and
allow more flexible pinning.
-13.12 Support HSTS
-
- "HTTP Strict Transport Security" is TOFU (trust on first use), time-based
- features indicated by a HTTP header send by the webserver. It is widely used
- in browsers and it's purpose is to prevent insecure HTTP connections after a
- previous HTTPS connection. It protects against SSLStripping attacks.
-
- Doc: https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security
- RFC 6797: https://tools.ietf.org/html/rfc6797
-
13.13 Make sure we forbid TLS 1.3 post-handshake authentication
RFC 8740 explains how using HTTP/2 must forbid the use of TLS 1.3