The Let’s Encrypt integration guide recommends the default HSTS expiry period be 60 days. However, the SSL Labs scorecard requires a longer expiry time to qualify for an A+ rating. Is there any chance someone at Let’s Encrypt could pow-wow with someone at SSL Labs and come to some sort of agreement here? It’s frustrating to have to explain the minutiae of this situation to customers who complain that our SSL configuration isn’t “A+ by default”.
@jsha Do you know where the original 60 day figure in the integration guide came from? Is this based on the renewal period of our certificates?
I guess ssllabs require HSTS to be longer than 6 months because most publicly trusted CA has certificate longer than 6 months (normally one year).
For Lets Encrypt…I actually have no idea why it suggests 60 days instead of 45 days. (But SSLLABS seems to want a long hsts duration to secure the web even after a visitor hasn’t go to that site for a long time)
It’s not based on the renewal period. I don’t really remember how I chose the 60 day figure. I suspect I was reluctant to recommend a high default because of the significant potential for site bricking. I may also have been influenced by the then-recent addition of a max-max-age for HPKP (though I’m having trouble finding a reference for this at the moment). I’m open to changing it. Certainly, though, @mpalmer, you should feel free to set a longer max-age to meet SSL Labs’ number by default if you’d like.
You enable SSL on your website with a nice shiny certificate.
You redirect all traffic from HTTP to HTTPS.
Search engines get the hint and search results show HTTPS URLs after a few weeks.
New links to your site are all HTTPS.
There’s no way back. You have to keep HTTPS working or your site dies. It doesn’t even matter anymore what you set the HSTS max-age to.
(I use max-age=99999999 if you care to know.)