git-market/curl-curl
1
0
Fork 0
mirror of https://github.com/curl/curl.git synced 2026-04-13 12:41:42 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity
74a169575d
curl-curl/docs/libcurl/opts/CURLOPT_HSTS.md
Daniel Stenberg 93e80c75b4
hsts: accept 10K entries in the list 
Up from 1K.

Reduces the risk that someone could flush the list by tricking a user to
do many transfers to new hostnames.

Document the limit.

Follow-up to 03a792b186

Closes #21200
2026-04-02 10:22:35 +02:00

2.7 KiB
Raw Blame History

c SPDX-License-Identifier Title Section Source Protocol See-also Added-in
Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al. curl CURLOPT_HSTS 3 libcurl
HTTP
CURLOPT_ALTSVC (3)
CURLOPT_HSTS_CTRL (3)
CURLOPT_RESOLVE (3)
7.74.0

NAME

CURLOPT_HSTS - HSTS cache filename

SYNOPSIS

#include <curl/curl.h>

CURLcode curl_easy_setopt(CURL *handle, CURLOPT_HSTS, char *filename);

DESCRIPTION

Make the filename point to a filename to load an existing HSTS cache from, and to store the cache in when the easy handle is closed. Setting a filename with this option also enables HSTS for this handle (the equivalent of setting CURLHSTS_ENABLE with CURLOPT_HSTS_CTRL(3)).

If the given file does not exist or contains no HSTS entries at startup, the HSTS cache starts empty. Setting the filename to NULL allows HSTS without reading from or writing to any file. NULL also makes libcurl clear the list of files to read HSTS data from, if any such were previously set.

If this option is set multiple times, libcurl loads cache entries from each given file but only stores the last used name for later writing.

Since libcurl 8.20.0, each in-memory HSTS cache (per easy handle or shared cache) holds no more than the most recently added 10,000 HSTS hostnames.

FILE FORMAT

The HSTS cache is saved to and loaded from a text file with one entry per physical line. Each line in the file has the following format:

[host] [stamp]

[host] is the domain name for the entry and the name is dot-prefixed if it is an entry valid for all subdomains to the name as well or only for the exact name.

[stamp] is the time (in UTC) when the entry expires and it uses the format "YYYYMMDD HH:MM:SS".

Lines starting with "#" are treated as comments and are ignored. There is currently no length or size limit.

DEFAULT

NULL, no filename

SECURITY CONCERNS

We strongly urge users to stick to HTTPS:// URLs, which makes this option unnecessary.

libcurl cannot fully protect against attacks where an attacker has write access to the same directory where it is directed to save files. This is particularly sensitive if you save files using elevated privileges.

libcurl creates the file to store HSTS data in using default file permissions, meaning that on *nix systems you may need to restrict your umask to prevent other users on the same system to access the file.

%PROTOCOLS%

EXAMPLE

int main(void)
{
  CURL *curl = curl_easy_init();
  if(curl) {
    curl_easy_setopt(curl, CURLOPT_HSTS, "/home/user/.hsts-cache");
    curl_easy_perform(curl);
  }
}

%AVAILABILITY%

RETURN VALUE

curl_easy_setopt(3) returns a CURLcode indicating success or error.

CURLE_OK (0) means everything was OK, non-zero means an error occurred, see libcurl-errors(3).