Changes

Jump to navigation Jump to search
4 bytes added ,  16:24, 20 February 2019
no edit summary
Line 1: Line 1:  +
 
==HTTP Strict Transport Security (HSTS)==
 
==HTTP Strict Transport Security (HSTS)==
 
HSTS is a simple and widely supported standard to protect visitors by ensuring that their browsers always connect to a website over HTTPS. HSTS exists to remove the need for the common, insecure practice of redirecting users from http:// to https:// URLs.
 
HSTS is a simple and widely supported standard to protect visitors by ensuring that their browsers always connect to a website over HTTPS. HSTS exists to remove the need for the common, insecure practice of redirecting users from http:// to https:// URLs.
Line 30: Line 31:  
Firefox, Safari, Opera, IE11 and Edge also incorporate Chrome’s HSTS preload list, making this feature shared across major browsers.
 
Firefox, Safari, Opera, IE11 and Edge also incorporate Chrome’s HSTS preload list, making this feature shared across major browsers.
 
<br>
 
<br>
 +
 
===HSTS Configuration for Common Web Servers===
 
===HSTS Configuration for Common Web Servers===
 
Departments are encouraged to use the Mozilla configuration generator in developing HTST headers, referenced in Section 5, above.  
 
Departments are encouraged to use the Mozilla configuration generator in developing HTST headers, referenced in Section 5, above.  
 
<br>
 
<br>
 +
 
===HSTS and Cookies===
 
===HSTS and Cookies===
 
When locking in the use of HTTPS through HSTS, cookies should be set with the Secure flag.  The scope of the domain and path of the cookies should be set as restrictively as possible. This can help minimize damage from cross-site scripting (XSS) vulnerabilities, as cookies often contain session identifiers or other sensitive information.
 
When locking in the use of HTTPS through HSTS, cookies should be set with the Secure flag.  The scope of the domain and path of the cookies should be set as restrictively as possible. This can help minimize damage from cross-site scripting (XSS) vulnerabilities, as cookies often contain session identifiers or other sensitive information.
Line 38: Line 41:  
* <code>__Secure-</code> prefix should be used for all cookies sent from secure origins (such as HTTPS).  
 
* <code>__Secure-</code> prefix should be used for all cookies sent from secure origins (such as HTTPS).  
 
<br>
 
<br>
 +
 
===Additional References===
 
===Additional References===
 
# [https://tools.ietf.org/html/rfc6797 HSTS Spec (IETF)]
 
# [https://tools.ietf.org/html/rfc6797 HSTS Spec (IETF)]
263

edits

Navigation menu

GCwiki