Line 8: |
Line 8: |
| * Always uses an https:// connection, even when clicking on an http:// link or after typing a domain into the location bar without specifying a protocol. | | * Always uses an https:// connection, even when clicking on an http:// link or after typing a domain into the location bar without specifying a protocol. |
| * Removes the ability for users to click through warnings about invalid certificates | | * Removes the ability for users to click through warnings about invalid certificates |
| + | * '''Note:''' HSTS headers set on '''HTTP''' endpoints are '''ignored by most browsers''' due to the potential for malicious headers to be injected, however are recognized on HTTPS endpoints. |
| | | |
| ===Types of HSTS=== | | ===Types of HSTS=== |
Line 26: |
Line 27: |
| ===HSTS Considerations=== | | ===HSTS Considerations=== |
| When moving to HSTS, bear in mind: | | When moving to HSTS, bear in mind: |
− | * The policy should be deployed at <nowiki>https://domain.gc.ca</nowiki>, not <nowiki>https://www.domain.gc.ca</nowiki>, added to your .htaccess file. | + | * The policy should be deployed at <nowiki>https://domain.gc.ca</nowiki>, not your HTTP endpoint, nor <nowiki>https://www.domain.gc.ca</nowiki>, added to your .htaccess file. |
| * In its simplest form, the policy tells a browser to enable HSTS for that exact domain or subdomain, and to remember it for a given number of seconds: <code>Strict-Transport-Security: max-age=31536000;</code> (1 year) | | * In its simplest form, the policy tells a browser to enable HSTS for that exact domain or subdomain, and to remember it for a given number of seconds: <code>Strict-Transport-Security: max-age=31536000;</code> (1 year) |
| * In its strongest and recommended form, the HSTS policy includes all subdomains, and indicates a willingness to be “preloaded” into browsers, pre-empting the need to visit via unsecure connection first:<code>Strict-Transport-Security: max-age=31536000; includeSubDomains; preload</code> | | * In its strongest and recommended form, the HSTS policy includes all subdomains, and indicates a willingness to be “preloaded” into browsers, pre-empting the need to visit via unsecure connection first:<code>Strict-Transport-Security: max-age=31536000; includeSubDomains; preload</code> |
Line 57: |
Line 58: |
| | | |
| ===Additional References=== | | ===Additional References=== |
| + | # [https://github.com/cisagov/pshtt#hsts CISAGOV-pshtt (Github)] - fully explains HSTS measurement by domain-scan |
| # [https://tools.ietf.org/html/rfc6797 HSTS Spec (IETF)] | | # [https://tools.ietf.org/html/rfc6797 HSTS Spec (IETF)] |
| # [https://mozilla.github.io/server-side-tls/ssl-config-generator/ Mozilla Configuration Generator] | | # [https://mozilla.github.io/server-side-tls/ssl-config-generator/ Mozilla Configuration Generator] |