Skip to content

Validate HSTS max-age parsing#493

Draft
kshitijshresth wants to merge 1 commit into
sony:masterfrom
kshitijshresth:master
Draft

Validate HSTS max-age parsing#493
kshitijshresth wants to merge 1 commit into
sony:masterfrom
kshitijshresth:master

Conversation

@kshitijshresth
Copy link
Copy Markdown

@kshitijshresth kshitijshresth commented Jun 1, 2026

Reject invalid Strict-Transport-Security max-age values instead of treating them as zero.

This adds validation for non-numeric and out-of-range max-age values and allows the existing unit test coverage for invalid max age input

Fixes #492

@garethsb
Copy link
Copy Markdown
Contributor

garethsb commented Jun 2, 2026

Is an exception the right approach here? The relevant spec would be RFC 6797: HTTP Strict Transport Security (HSTS) which says among other things:

   4.  UAs MUST ignore any STS header field containing directives, or
       other header field value data, that does not conform to the
       syntax defined in this specification.

   5.  If an STS header field contains directive(s) not recognized by
       the UA, the UA MUST ignore the unrecognized directives, and if
       the STS header field otherwise satisfies the above requirements
       (1 through 4), the UA MUST process the recognized directives.

@kshitijshresth
Copy link
Copy Markdown
Author

kshitijshresth commented Jun 2, 2026
edited
Loading

Is an exception the right approach here? The relevant spec would be RFC 6797: HTTP Strict Transport Security (HSTS) which says among other things:

   4.  UAs MUST ignore any STS header field containing directives, or
       other header field value data, that does not conform to the
       syntax defined in this specification.

   5.  If an STS header field contains directive(s) not recognized by
       the UA, the UA MUST ignore the unrecognized directives, and if
       the STS header field otherwise satisfies the above requirements
       (1 through 4), the UA MUST process the recognized directives.

Thanks for the review! You're right that RFC prescribes that a UA ignore a non-conforming STS header field rather than rejecting it.

I leaned on std::invalid_argument here for consistency parse_hsts_header already throws std::invalid_argument for empty max-age an unterminated quoted-string value and a missing required max-age so this change extends that existing contract to a non-numeric/out-of-range max-age. The caller can then ignore a thrown exception.

I also wanted to avoid the previous behaviour of silently parsing an invalid value as 0 since per 8.1 max-age=0 is an instruction to delete cached policy

if you'd prefer the parser to model "ignore" more directly I'd change parse_hsts_header to return bst::optional (nullopt = ignore the header) instead of throwing? It might still be an improvement over deleting the cached policy

@kshitijshresth kshitijshresth marked this pull request as draft June 2, 2026 12:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

HSTS invalid max-age validation

2 participants

@kshitijshresth @garethsb