04:17 <ocdtrekkie> For those tracking, I got my web app that has HSTS working again... I still haven't figured out how to disable HSTS on it though.

04:18 <isd> congrats.

04:21 <isd> I am coming around to just not doing it with Sandstorm. In any case, tying the HSTS expiration to the cert expiration looks like it would be enough work that I probably won't actually find time to implement it anytime soon.

04:22 <ocdtrekkie> I think it makes sense to support it for people who want it and know what it entails. I just don't think we should implement it by default because it is hard to undo.

04:23 <isd> Maybe we could just add an HSTS=true option to sandstorm.conf and leaf it at that

04:24 <isd> That would also let us easily just set a very long expiration time, without fussing about breaking things for users who weren't expecting it.

04:24 <isd> So not having it on by default lets us be stricter with it, which is nice.

04:25 <ocdtrekkie> Maybe, if that's an easyish solution. Could it be HSTS=lifetime instead of a boolean? I imagine that being something the savvy HSTS user would have opinions on.

04:25 <isd> Makes sense.