Update the security options to best practice for domains page
Tiny things, should be easily implemented:
1) For HSTS the recommended settings are
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Otherwise if you add it elsewhere (the server headers page) you have to turn this off or get two headers implemented, and you do not get the full security rating on that security page and looks like something is missing (plus inconvenient if you do not know what to do).
2) OCSP stapling is something no longer recommended, and probably should be removed. Perhaps this could be replaced with automatic setup of the DS and CAA records (especially given the range of providers that require people to know who is the provider of the certificates that might be purchased, or with the fact that you have letsencrypt, sectigo, digicert (and pki.goog?) on offer.
3) An additional thing would be to implement NEL reporting. Would be useful to be able to offer NEL (Network Error Logging) as a header option for general troubleshooting:
NEL: {"reportto":"default","maxage":31536000,"include_subdomains":true}
These are the recommended settings according to Scott Helme, report URI, OWASP, and Mozilla (MDN), e.g.:
https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html
https://scotthelme.co.uk/hsts-cheat-sheet/
https://scotthelme.co.uk/revocation-is-broken/
Jonathan Jewell
shared this idea
We regret to inform you that since no additional details were provider for over a month and we still have no clear idea of the user benefits over the existing option we are closing the request.
-- SH
-
Sorry, I misread it - I thought you said that you were going to add the other options for different times in there for HSTS. I would have only suggested other than that, a 9-month period.
The only other thing re that was to allow it to include the 'preload' argument on the end of the HSTS statement so that it is complete and in line with the other structures it compares to online. Otherwise, the whole thing needs to be switched off in your implementation, and the whole new statement added with preload on the end, either directly into the .htaccess file, or implemented into either Apache, Nginx, or PHP. I now have just assumed it should be turned off so that the full setting is implemented, but for most people, I suppose they will no know what it is anyway, and switching it on as is at least sets it up an improvement if not the full setting with preload.
https://stackoverflow.com/questions/71377849/hsts-preload-meaning
This thread talks through some of the details of that, but I will just accept it as is, and sort it out for myself. It seems it should be an easy adjustment, and missed opportunity not to have three aspects - max age, include subdomains, and preload arguments - and if you turn it on and do it separately, you get a duplicate HSTS record and warnings associated with that, but maybe it is harder to do than I thought.
I'll sort the other two items out later in a separate thread,but thank you for your attention to this question. Have a great day.
So there is not much more