RF: hsts #53
RF: hsts #53
Conversation
Codecov ReportAttention: Patch coverage is
Flags with carried forward coverage won't be shown. Click here to find out more.
|
checks/hsts.go
Outdated
| } | ||
| defer resp.Body.Close() | ||
|
|
||
| hstsHeader := resp.Header.Get(StrictTransportSecurity) |
There was a problem hiding this comment.
headers can be set in one valid string such as
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
or multiple such as
Strict-Transport-Security: max-age=63072000
Strict-Transport-Security: includeSubDomains; preload
both are valid but the use of Get only returns one in the case of scenario 2.
There was a problem hiding this comment.
*http.Response.header is a map so would the second Strict-Transport-Security not replace the first value?
| return &HSTSResponse{Message: "Site does not serve any HSTS headers."}, nil | ||
| } | ||
|
|
||
| if !strings.Contains(hstsHeader, "max-age") { |
There was a problem hiding this comment.
Although max-age is not optional, I guess we shouldn't assume it'll have max-age in the headers?
| } | ||
|
|
||
| var maxAgeString string | ||
| for _, h := range strings.Split(hstsHeader, " ") { |
There was a problem hiding this comment.
The OG way to extract max-age was through the use of regex and indexing into the slice to get the max age value. Is this a better approach than indexing?
No description provided.