fix(hsts): only award preload bonus when max-age meets the hstspreload.org 2-year minimum#87
Open
dmchaledev wants to merge 1 commit into
Open
fix(hsts): only award preload bonus when max-age meets the hstspreload.org 2-year minimum#87dmchaledev wants to merge 1 commit into
dmchaledev wants to merge 1 commit into
Conversation
…g 2-year minimum The preload +2 bonus was awarded for any max-age > 0 with a preload directive. hstspreload.org requires max-age >= 63072000 (2 years), so sites with max-age=31536000 (1 year) were receiving a misleading bonus for a preload status they could not actually attain. Now the bonus is only awarded when max-age >= 63072000; a finding and recommendation are emitted otherwise. Updated three existing tests that assumed max-age=31536000 + preload earned a perfect HSTS score, and added a dedicated test for the new behaviour. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01WpgTDYqyYdTqvMqXEhL6A9
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The HSTS preload bonus (+2 points) was awarded whenever
preloadappeared in the header andmax-age > 0. But hstspreload.org actually requiresmax-age ≥ 63072000(2 years). A site withmax-age=31536000; includeSubDomains; preloadwould receive a perfect HSTS score (20/20) even though it cannot be submitted to the preload list.Changes:
src/rules.ts: Gate the +2 preload bonus onmaxAge >= 63072000. When the directive is present but the age is too short, emit a finding and recommendation explaining the shortfall instead of silently awarding credit.test/analyzer.test.ts: Update three tests that assumedmax-age=31536000 + preloadshould earn a perfect 20/20 HSTS score (they now use63072000). Add one new dedicated test that asserts a finding is emitted — and no bonus awarded — whenpreloadis set with an insufficient max-age.Before:
After:
All 86 tests pass (85 prior + 1 new).
🤖 Generated with Claude Code
https://claude.ai/code/session_01WpgTDYqyYdTqvMqXEhL6A9
Generated by Claude Code