Incorrect calculation for "Enforces HTTPS"

[mpreissner]

🐛 Bug Report

A clear and concise description of what the bug is.

To Reproduce

Steps to reproduce the behavior:

Install pshtt on CentOS 7.7.
Run test against desired site with known Valid HTTPS and Defaults to HTTPS

Expected behavior

A given site returns "Valid HTTPS=True" and "Defaults to HTTPS=True", so "Domain Enforces HTTPS" should be True.

I support a federal agency...according to what's been published, pshtt is supposed to calculate "Domain Enforces HTTPS" based on (Domain Supports HTTPS=True AND (Defaults to HTTPS=True OR (Strictly Forces HTTPS=True AND Redirect=True))). If this logic is correct, then any domain with Valid HTTPS=True and Defaults to HTTPS=True should return True for Domain Enforces HTTPS, regardless of the values for Strictly Forces HTTPS and Redirect.

Test site was "list.ahrq.gov".

Any helpful log output

Paste the results here:

[DOS-cyber]

Remember that it checks [site].[tld] as well as [www].[site].[tld]. http://www.list.ahrq.gov returns a 404, it doesn’t 3xx redirect to https. Neil From: mpreissner <notifications@github.com> Sent: Friday, November 8, 2019 8:51 AM To: cisagov/pshtt <pshtt@noreply.github.com> Cc: Subscribed <subscribed@noreply.github.com> Subject: [cisagov/pshtt] Incorrect calculation for "Enforces HTTPS" (#207) 🐛 Bug Report A clear and concise description of what the bug is. To Reproduce Steps to reproduce the behavior: Install pshtt on CentOS 7.7. Run test against desired site with known Valid HTTPS and Defaults to HTTPS Expected behavior A given site returns "Valid HTTPS=True" and "Defaults to HTTPS=True", so "Domain Enforces HTTPS" should be True. I support a federal agency...according to what's been published, pshtt is supposed to calculate "Domain Enforces HTTPS" based on (Domain Supports HTTPS=True AND (Defaults to HTTPS=True OR (Strictly Forces HTTPS=True AND Redirect=True))). If this logic is correct, then any domain with Valid HTTPS=True and Defaults to HTTPS=True should return True for Domain Enforces HTTPS, regardless of the values for Strictly Forces HTTPS and Redirect. Test site was "list.ahrq.gov". Any helpful log output Paste the results here: — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub<#207?email_source=notifications&email_token=AKUO3SOVKWY2QY4WTCS7KODQSVVENA5CNFSM4JKXPS4KYY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4HX66VZA>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AKUO3SJGC35S4WNCH3EDOSLQSVVENANCNFSM4JKXPS4A>.

[mpreissner]

Thanks Neil. If we simply get rid of the www 4th level domain, will that make the calculation come up as desired?

[echudow]

You're right, the documentation should be updated. #192 updated the logic for Domain Enforces HTTPS to also require Strictly Forces HTTPS to be True.