Skip to content

Disable TLS Session resumption and Session IDs

We need to disable TLS session resumption and HTTP keep-alive to prevent third parties from possibly using them to track users between different domains.

Ideally, we should simply prevent 3rd party origins from using these two features, but I suspect that differentiating 3rd party loads at the HTTP and TLS layers will prove difficult.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information