Hacker News new | comments | show | ask | jobs | submit login
Show HN: A tiny web auditor with strong opinions (github.com)
5 points by woodruffw 65 days ago | hide | past | web | favorite | 2 comments



The example seems weird: google.com almost certainly does redirect to HTTPS and send HSTS headers, so why does your tool think otherwise?


Not for me:

    $ curl -I http://google.com
    HTTP/1.1 301 Moved Permanently
    Location: http://www.google.com/
    Content-Type: text/html; charset=UTF-8
    Date: Thu, 13 Sep 2018 13:56:53 GMT
    Expires: Sat, 13 Oct 2018 13:56:53 GMT
    Cache-Control: public, max-age=2592000
    Server: gws
    Content-Length: 219
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: SAMEORIGIN
`curl`ing www.google.com also doesn't redirect -- it serves the HTTP page directly. Similarly, I don't see Strict-Transport-Security headers with either HTTP or HTTPS requests.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: