Support » Plugin: Headers Security Advanced & HSTS WP » Misleading option description

  • ResolvedPlugin Contributor Rimas

    (@erku)


    The description for the preload option currently spots the following text:

    The “preload” parameter is used to indicate to the browser that the website should only be loaded via HTTPS. This means that even if a user types “http://” in front of the website URL, he or she will automatically be redirected to “https://” to ensure the security of the connection. In addition, this parameter allows the website to be included in the pre-loading list of browsers, which means that browsers will only use the HTTPS connection for the site without the need for verification. This makes the site load faster for users and improves the security of the connection.

    This text is slightly misleading. Namely, the first part of it is incorrect, because the presence of the HSTS header itself ensures that supporting browsers will automatically redirect HTTP requests to HTTPS. The preload parameter only indicates that the site owner accepts with the site being included in the preload list upon submission. To quote the OWASP cheat sheet:

    The preload flag indicates the site owner’s consent to have their domain preloaded. The site owner still needs to then go and submit the domain to the list.

    I want to suggest that the aforementioned description is updated by removing everything up to and including the words “in addition”.

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Contributor Rimas

    (@erku)

    I also noticed some “code smell” in the code. For example, there are two distinct places where the headers that should be added are collected (and – of course – they aren’t in sync). Also, the lack of proper indentation makes the code difficult to read.

    Do you have a Git repository where pull requests could be made? I know that WordPress plugins repository still uses Subversion (svn), but I pity anyone still having to use it as their main versioning tool, so I’m thinking maybe you have a better co-working tool in place, and only mirror the result to Subversion instead?

    • This reply was modified 10 months, 2 weeks ago by Rimas.
    Plugin Author Andrea Ferro

    (@unicorn03)

    Hi @erku, thank you for taking the time to describe your topic, any help is important. As a tool I use Github is if you provide me your name I can invite you as a contributor

    Plugin Contributor Rimas

    (@erku)

    @unicorn03, thanks for replying! If the repo is public, could you just link it here? I’d then fork it and make a pull request or two.

    Edit: my username over at Github is rimas-kudelis. Cheers!

    • This reply was modified 10 months, 2 weeks ago by Rimas.
    Plugin Author Andrea Ferro

    (@unicorn03)

    Hi @erku, I sent you invitation to enter the plugin repository.
    Thank you for your support. For your support I have added you as Contributors & Developers for helping the plugin improve

    • This reply was modified 10 months, 2 weeks ago by Andrea Ferro.
Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Misleading option description’ is closed to new replies.