Ghidra: Add ghidra-sre.org to HSTS preload list

Any update?

This kind of thing is not really considered a Ghidra issue or enhancement...this GitHub project is for the tool itself. I understand why you created the ticket here though (where else would you have?)

If you provide more information on why you feel like this change is necessary, we can perhaps pass it along to the website people.

Information on HSTS: https://https.cio.gov/hsts/

If I remember correctly, that's currently a requirement for United States government websites.

I have already created a HTTPS Everywhere rule for Ghidra website (https://github.com/EFForg/https-everywhere/blob/master/src/chrome/content/rules/Ghidra-SRE.org.xml), but it only affects HTTPS Everywhere extension users. On the other hand, HSTS is supported by vast majority of browsers.

Thanks for the extra info. I'll pass the request along and let you know what happens. It might be a slow moving process though.

@ryanmkurtz can there be another repo for the website (or alternatively a website in a subdir of this repo and a label for website-related issues)?

The website is a pretty simple thing that is really just intended to give the public access to our latest Ghidra release, and provide links to things like our GitHub. At this point, it is the way we want it so I don't anticipate the need for users to report enhancement requests to it.

The server that runs the website (which is what I think you are more interested in) is a black box to us...it's not run by the Ghidra developers or anyone you will find on GitHub. All we can really do there is forward worthwhile suggestions (like what you brought up in this issue) on to them, but it is up to them to decide if they want to implement it. I'm sure they have policies of their own that guide how they do things.

@pipboy96 Indeed, except of that, there is nothing that needs to be changed.

Apparently, doing this is more involved since the website uses S3/CloudFront: https://aws.amazon.com/blogs/networking-and-content-delivery/adding-http-security-headers-using-lambdaedge-and-amazon-cloudfront/

I'm going to go ahead and close this because pursuing this any further is outside of our team's scope. We did reach out to the people who run the website and they confirmed what you said in your last post.