Buy commercial curl support. We
help you work out your issues, debug your libcurl applications, use the API,
port to new platforms, add new features and more. With a team lead by the
curl founder Daniel himself.
Re: HSTS cache cap allows eviction of security entries
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Daniel Stenberg via curl-library <curl-library_at_lists.haxx.se>
Date: Wed, 1 Apr 2026 23:14:51 +0200 (CEST)
On Wed, 1 Apr 2026, Timothe Litt via curl-library wrote:
> Store the HSTS list on disk (persisting it is good);
That's why libcurl offers that in its API. It still needs to be able to
function with the cache in memory.
> you can use a memory cache of both positive [site -> HSTS records] and
> negative [site -> 'has no HSTS'] entries - and limit its size.
A typical user scenario has perhaps a handful of hostnames in the list that
should be bumped to HTTPS. I don't see how adding negative info to this makes
the data smaller.
> Or let a database (e.g. SQLite) manage the list. You don't have to invent
> your own.
This is over-engineering terrority. SQLite is itself larger than the whole of
libcurl. HSTS is a rather tiny edge feature. No one wants libcurl to explode
in size and complexity just to support this.
Date: Wed, 1 Apr 2026 23:14:51 +0200 (CEST)
On Wed, 1 Apr 2026, Timothe Litt via curl-library wrote:
> Store the HSTS list on disk (persisting it is good);
That's why libcurl offers that in its API. It still needs to be able to
function with the cache in memory.
> you can use a memory cache of both positive [site -> HSTS records] and
> negative [site -> 'has no HSTS'] entries - and limit its size.
A typical user scenario has perhaps a handful of hostnames in the list that
should be bumped to HTTPS. I don't see how adding negative info to this makes
the data smaller.
> Or let a database (e.g. SQLite) manage the list. You don't have to invent
> your own.
This is over-engineering terrority. SQLite is itself larger than the whole of
libcurl. HSTS is a rather tiny edge feature. No one wants libcurl to explode
in size and complexity just to support this.
-- / daniel.haxx.se || https://rock-solid.curl.dev
-- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2026-04-01