caddy version):v2.0.0-rc.3 h1:z2H/QnaRscip6aZJxwTbghu3zhC88Vo8l/K57WUce4Q=
The page tls (Caddyfile directive) — Caddy Documentation
does not list the tls flag: must_staple.
Why not?
How do I force must_staple without it?
must_staple is currently only available via JSON config.
FWIW, we generally discourage the use of must-staple unless you have a very specific reason for it / threat model that requires it.
Why though? It solves the revocation problem.
Unfortunately, not so. “The” revocation problem is actually many problems – and Must-Staple doesn’t solve them. It would solve problems if revocation actually worked, but revocation as a whole is broken. Although Caddy’s OCSP implementation is the best available in the industry for supporting Must-Staple, you still risk bricking your site for a time with factors that are out of your control. That’s why Must-Staple should only be used if you have a very specific reason / threat model that requires it. The only good solution to “the” revocation problem is shorter certificate lifetimes.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.