rspec/rules/S5739/description.adoc

When implementing the HTTPS protocol, the website mostly continue to support the HTTP protocol to redirect users to HTTPS when they request a HTTP version of the website. These redirects are not encrypted and are therefore vulnerable to man in the middle attacks. The https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security[Strict-Transport-Security policy header] (HSTS) set by an application instructs the web browser to convert any HTTP request to HTTPS.


Web browsers that see the Strict-Transport-Security policy header for the first time record information specified in the header:

* the ``++max-age++`` directive which specify how long the policy should be kept on the web browser.
* the ``++includeSubDomains++`` optional directive which specify if the policy should apply on all sub-domains or not.
* the ``++preload++`` optional directive which is not part of the HSTS specification but supported on all modern web browsers.

With the ``++preload++`` directive the web browser never connects in HTTP to the website and to use this directive, it is required https://hstspreload.org/[to submit] the concerned application to a preload service maintained by Google.
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`When implementing the HTTPS protocol, the website mostly continue to support the HTTP protocol to redirect users to HTTPS when they request a HTTP version of the website. These redirects are not encrypted and are therefore vulnerable to man in the middle attacks. The https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security[Strict-Transport-Security policy header] (HSTS) set by an application instructs the web browser to convert any HTTP request to HTTPS.`

Force linebreaks 2021-02-02 15:02:10 +01:00
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`Web browsers that see the Strict-Transport-Security policy header for the first time record information specified in the header:`
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00
make in-line code blocks verbatim 2021-01-27 13:42:22 +01:00			* the ``++max-age++`` directive which specify how long the policy should be kept on the web browser.
			* the ``++includeSubDomains++`` optional directive which specify if the policy should apply on all sub-domains or not.
			* the ``++preload++`` optional directive which is not part of the HSTS specification but supported on all modern web browsers.
Add rules 5000-5999 2020-06-30 12:50:28 +02:00
make in-line code blocks verbatim 2021-01-27 13:42:22 +01:00			With the ``++preload++`` directive the web browser never connects in HTTP to the website and to use this directive, it is required https://hstspreload.org/[to submit] the concerned application to a preload service maintained by Google.