
Show HN: A tiny web auditor with strong opinions - woodruffw
https://github.com/woodruffw/twa
======
detaro
The example seems weird: google.com almost certainly does redirect to HTTPS
and send HSTS headers, so why does your tool think otherwise?

~~~
woodruffw
Not for me:

    
    
        $ curl -I http://google.com
        HTTP/1.1 301 Moved Permanently
        Location: http://www.google.com/
        Content-Type: text/html; charset=UTF-8
        Date: Thu, 13 Sep 2018 13:56:53 GMT
        Expires: Sat, 13 Oct 2018 13:56:53 GMT
        Cache-Control: public, max-age=2592000
        Server: gws
        Content-Length: 219
        X-XSS-Protection: 1; mode=block
        X-Frame-Options: SAMEORIGIN
    

`curl`ing www.google.com also doesn't redirect -- it serves the HTTP page
directly. Similarly, I don't see Strict-Transport-Security headers with either
HTTP or HTTPS requests.

