Skip to content

GitLab

Closed
Created by nusenu@nusenu

HSTS preloading for torproject.net

I hope this is the correct place to report this.

To protect users from sslstrip type of attacks HSTS preloading is the best way to go when aiming for a broad coverage.

Unlike torproject.org, torproject.net is currently not covered by HSTS preloading:

https://hstspreload.org/?domain=torproject.net vs https://hstspreload.org/?domain=torproject.org

If for some reason it is not possible to enable HSTS preloading on torproject.net, the next best thing is to submit all domains that support HTTPS to HTTPS-Everywhere https://github.com/EFForg/https-everywhere/blob/master/src/chrome/content/rules/Torproject.xml

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information