HTTP-based APIs, including websites hosting web content, want to force HTTPS for security; however, the current mechanism is not absolute in its intentions and requires third-party configuration to help enforce the policy. On top of that, the configuration is very coarse grained and does not meet many use cases where fine grained control is required, such as having different policies for sub-domains of a second-level domain. By allowing web domains to host their own configuration, we can give fine grained control to the owners of domains and help to secure the web from malicious actors.
Creative Commons License
This work is licensed under a Creative Commons Attribution-Share Alike 4.0 License.
INC, HP, "DOMAIN BASED HSTS (HTTP STRICT TRANSPORT SECURITY) MANAGEMENT", Technical Disclosure Commons, (November 21, 2022)