Changes

793 bytes added ,  14:30, 22 February 2019
Line 9: Line 9:  
* Removes the ability for users to click through warnings about invalid certificates
 
* Removes the ability for users to click through warnings about invalid certificates
 
<br>
 
<br>
 +
'''Dynamic HSTS''': Dynamic means that the browser has been instructed to enable HSTS by an HTTP response header (served over TLS) similar to the following:
 +
<br><br>
 +
<code>Strict-Transport-Security: max-age=157680000; includeSubDomains;</code>
 +
<br><br>
 +
This is vulnerable to an attack whereby the very first time the browser requests the domain with http:// (not https://) an adversary intercepts the communication.
 +
<br><br>
 +
'''Static HSTS''': In order to overcome this weakness we have the static mode which allows for hard-coding HSTS records directly into the browser's source. The header is changed to indicate the administrator's intention - note the inclusion of preload at the end:
 +
<br><br>
 +
<code>Strict-Transport-Security: max-age=157680000; includeSubDomains; preload</code>
 +
<br><br>
 
In its simplest form, the policy tells a browser to enable HSTS for that exact domain or subdomain, and to remember it for a given number of seconds: <code>Strict-Transport-Security: max-age=31536000;</code> (1 year)
 
In its simplest form, the policy tells a browser to enable HSTS for that exact domain or subdomain, and to remember it for a given number of seconds: <code>Strict-Transport-Security: max-age=31536000;</code> (1 year)
 
<br><br>
 
<br><br>
263

edits