I was looking at CMake’s Utilities/cmcurl/CMakeLists.txt
and noticed set(CURL_DISABLE_HSTS ON) while Curl’s general default is OFF.
Basically, I’m wanting to be sure that CMake default is to use Curl with HSTS for security benefits.
I made this test that appears to show that CMake internal Curl is NOT HSTS promoting to HTTPS.
It was added in this MR without comment. @brad.king, was this just a goof on the default or was there a reason beyond “seemed like a more secure default”?
Yeah, what I’m saying is that the way CMake sets/overrides it looks like CMake internally is trying to disable HSTS, even though it ends up being built with HSTS.
It was not intentionally left off. CMake MR 8801 enables it now.
OK thanks! I rebuilt CMake with that change.
My Gist is not a good test because how the browser acts depends on if the browser previously visited the website to get the HSTS header for upgrading the connection.
Well anyway, at least 8801 makes a better default.
CURL_DISABLE_HSTS only controls whether the feature is built in to curl. An application may still need to set associated options when making a connection, which we don’t.
If I understand HSTS correctly, it makes sense only when making multiple connections over time. In order to take advantage of it across multiple cmake runs, we’d need to set curl options to cache information in a file somewhere.