Changes

'''Dynamic HSTS''': Dynamic means that the browser has been instructed to enable HSTS by an HTTP response header (served over TLS) similar to the following:

'''Dynamic HSTS''': Dynamic means that the browser has been instructed to enable HSTS by an HTTP response header (served over TLS) similar to the following:

<br><br>

<br><br>

<code>Strict-Transport-Security: max-age=157680000; includeSubDomains;</code>

<code>Strict-Transport-Security: max-age=31536000; includeSubDomains;</code>

<br><br>

<br><br>

This is vulnerable to an attack whereby the very first time the browser requests the domain with http:// (not https://) an adversary intercepts the communication.

This is vulnerable to an attack whereby the very first time the browser requests the domain with http:// (not https://) an adversary intercepts the communication.

'''Static HSTS''': In order to overcome this weakness we have the static mode which allows for hard-coding HSTS records directly into the browser's source. The header is changed to indicate the administrator's intention - note the inclusion of preload at the end:

'''Static HSTS''': In order to overcome this weakness we have the static mode which allows for hard-coding HSTS records directly into the browser's source. The header is changed to indicate the administrator's intention - note the inclusion of preload at the end:

<br><br>

<br><br>

<code>Strict-Transport-Security: max-age=157680000; includeSubDomains; preload</code>

<code>Strict-Transport-Security: max-age=31536000; includeSubDomains; preload</code>

<br><br>

<br><br>

In its simplest form, the policy tells a browser to enable HSTS for that exact domain or subdomain, and to remember it for a given number of seconds: <code>Strict-Transport-Security: max-age=31536000;</code> (1 year)

In its simplest form, the policy tells a browser to enable HSTS for that exact domain or subdomain, and to remember it for a given number of seconds: <code>Strict-Transport-Security: max-age=31536000;</code> (1 year)