From 2fcd21083ecafee0c4911bd211f8796e8ceef0fc Mon Sep 17 00:00:00 2001 From: Roman-Nopantski Date: Thu, 23 Feb 2017 20:30:18 +1300 Subject: [PATCH] enforce HSTS preload list --- user.js | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/user.js b/user.js index 092ec18..1585e75 100644 --- a/user.js +++ b/user.js @@ -658,9 +658,9 @@ user_pref("security.mixed_content.block_active_content", true); // https://bugzilla.mozilla.org/show_bug.cgi?id=1246540#c145 user_pref("security.mixed_content.send_hsts_priming", false); user_pref("security.mixed_content.use_hsts", false); -// 1219: disable HSTS preload list - // recommended left inactive and at default, unless you fully understand the risks and trade-offs - // user_pref("network.stricttransportsecurity.preloadlist", false); +// 1219: enforce HSTS preload list (default is true) + // recommended left at default, unless you fully understand the risks and trade-offs +user_pref("network.stricttransportsecurity.preloadlist", true); // 1220: disable intermediate certificate caching (fingerprinting attack vector) // NOTE: This may be better handled under FPI (ticket 1323644, part of Tor Uplift) // WARNING: This affects login/cert/key dbs. The effect is all credentials are session-only.