I just enabled HTTP Strict Transport Security (HSTS) (https://tools.ietf.org/html/draft-hodges-strict-transport-sec) markers on a bunch of web servers that offer HTTPS.
on 12/16/2010 – Made popular on 12/16/2010
My company's site has a static homepage for speed and cost reasons. We use S3 as the origin for CloudFront. Now, we would like to declare Strict-Transport-Security for the entire domain, but S3 seems to not send any headers we specify (beyond ones starting with like x-aws--). CloudFront doesn't seem to have any custom header option either.
The IETF appears to have had a draft to specify a null mx record whereby a domain would not handle mail and mail delivery systems would fail and return a undeliverable system immediately by directing a domain's only MX record to '.' (c/f http://tools.ietf.org/html/draft-delany-nullmx-00)
Is this draft specification followed by most mail servers out there and worth setting up?
What are my options for disabling HSTS both for new sites and for those sites baked into the browser?
I am setting up a new firewall and I'm trying to clean my HTTPS inspection rules. I really want to avoid adding sites to the list that may have user contributed content, such as mail.google.com / gmail.com.