Update the security options to best practice for domains page
Tiny things, should be easily implemented:
1) For HSTS the recommended settings are
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Otherwise if you add it elsewhere (the server headers page) you have to turn this off or get two headers implemented, and you do not get the full security rating on that security page and looks like something is missing (plus inconvenient if you do not know what to do).
2) OCSP stapling is something no longer recommended, and probably should be removed. Perhaps this could be replaced with automatic setup of the DS and CAA records (especially given the range of providers that require people to know who is the provider of the certificates that might be purchased, or with the fact that you have letsencrypt, sectigo, digicert (and pki.goog?) on offer.
3) An additional thing would be to implement NEL reporting. Would be useful to be able to offer NEL (Network Error Logging) as a header option for general troubleshooting:
NEL: {"reportto":"default","maxage":31536000,"include_subdomains":true}
These are the recommended settings according to Scott Helme, report URI, OWASP, and Mozilla (MDN), e.g.:
https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html
https://scotthelme.co.uk/hsts-cheat-sheet/
https://scotthelme.co.uk/revocation-is-broken/
Thank you for your input. The functionality is already available in the SSL It! Plesk Extension:
The only difference is the default max-age option is 6 months rather than a year, but it could be customized. In case this is not a satisfactory solution, could you please provide us with more feedback on the reason?
As for your additional two suggestions please open a separate idea. We aim to keep every request separate with consideration to consistency and better tracking.
Thank you in advance for your cooperation.
-- SH