>From 702738a1e03c07f90de09527d1a6e0cb04fc5ea6 Mon Sep 17 00:00:00 2001 From: Ander Juaristi Date: Sat, 8 Aug 2015 19:44:22 +0200 Subject: [PATCH 2/2] Updated documentation to include HSTS. * doc/wget.texi: added information about Wget's HSTS implementation. --- doc/wget.texi | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/doc/wget.texi b/doc/wget.texi index d2ff7dc..54ac426 100644 --- a/doc/wget.texi +++ b/doc/wget.texi @@ -1800,6 +1800,37 @@ read random data from EGD socket specified using this option. If this option is not specified (and the equivalent startup command is not used), EGD is never contacted. EGD is not needed on modern Unix systems that support @file{/dev/urandom}. + address@hidden HSTS address@hidden --no-hsts +Wget supports HSTS (HTTP Strict Transport Security, RFC 6797) by default. +Use @samp{--no-hsts} to make Wget act as a non-HSTS-compliant UA. As a +consequence, Wget would ignore all the @code{Strict-Transport-Security} +headers, and would not enforce any existing HSTS policy. + address@hidden address@hidden +By default, Wget stores its HSTS database in @file{~/.wget-hsts}. +You can use @samp{--hsts-file} to override this. Wget will use +the supplied file as the HSTS database. Such file must conform to the +correct HSTS database format used by Wget. If Wget cannot parse the provided +file, the behaviour is unspecified. + +Be aware though, that Wget may modify the provided file if any change occurs +between the HSTS policies requested by the remote servers and those in the +file. When Wget exists, it effectively updates the HSTS database by rewriting +the database file with the new entries. + +If the supplied file does not exist, Wget will create an empty one. This file +will have the new HSTS entries (if any) at the end of Wget execution. + +Care is taken not to override possible changes made by other Wget processes at +the same time over the HSTS database. Before dumping the updated HSTS entries +on the file, Wget will re-read it and merge the changes. + +Using a custom HSTS database and/or modifying an existing one is discouraged. +For more information about the potential security threats arised from such practice, +see section 14 "Security Considerations" of RFC 6797, specially section 14.9 +"Creative Manipulation of HSTS Policy Store". @end table @cindex WARC -- 1.9.1