0

I need to activate HSTS on my webserver. But what should I do if the user did not allowed cookies by clicking "no" on my 'do you accept our cookies' alert?

Can I theoretically disable HSTS in such cases or is it always active? I know It would not make sense, but does it work?

Black
  • 18,150
  • 39
  • 158
  • 271
  • 1
    Why would you disable HSTS if the user didn't accept cookies? What do cookies have to do with HSTS? – Gabor Lengyel Dec 19 '18 at 11:00
  • 1
    HSTS has nothing to do with cookies, unless you're talking about some people using HSTS as a "super cookie" (https://security.stackexchange.com/questions/79518/what-are-hsts-super-cookies) which is more of a hack around the way HSTS works than anything your cookie policy should be concerned with IMHO... – Barry Pollard Dec 19 '18 at 14:00
  • @GaborLengyel, Because of the DSGVO in Europe. HSTS is a "super cookie" according to some websites. – Black Dec 19 '18 at 14:29
  • 1
    This is somewhat out of bounds here, but quite frankly, I find that to be bollocks. Even the DSGVO allows you to store *some* stuff, especially if it's a technical necessity. – deceze Dec 19 '18 at 14:35
  • 2
    @Black My personal opinion is that it makes about zero sense (while I understand it could be misused if you really wanted). HSTS is not a "super cookie", and you should not ever disable it. No regulation prescribes that, and any security best practice tells you to use HSTS. – Gabor Lengyel Dec 19 '18 at 15:10
  • Well, our Data Protection Supervisor has to decide this. Maybe I can convince him that it is not a cookie, even though it seems to be one. – Black Dec 20 '18 at 10:40

1 Answers1

2

This is not possible, due to a chicken and egg problem. HSTS is a header sent by the server. The only way the server would know to omit that header is if the client sent something in the request that would signal that. There's no "opt-out-of-HSTS" request header, so it would have to be something else stored permanently, like… a cookie. Which obviously defeats the purpose.

Further, the server would not be able to set the HSTS header on any first visit. And that rather defeats the purpose of HSTS.

deceze
  • 510,633
  • 85
  • 743
  • 889