Changes

330 bytes added , 16:01, 4 November 2019

Line 8: Line 8:

* Always uses an https:// connection, even when clicking on an http:// link or after typing a domain into the location bar without specifying a protocol.

* Removes the ability for users to click through warnings about invalid certificates

+

* '''Note:''' HSTS headers set on '''HTTP''' endpoints are '''ignored by most browsers''' due to the potential for malicious headers to be injected, however are recognized on HTTPS endpoints.

===Types of HSTS===

Line 26: Line 27:

===HSTS Considerations===

When moving to HSTS, bear in mind:

−

* The policy should be deployed at <nowiki>https://domain.gc.ca</nowiki>, not <nowiki>https://www.domain.gc.ca</nowiki>, added to your .htaccess file.

+

* The policy should be deployed at <nowiki>https://domain.gc.ca</nowiki>, not your HTTP endpoint, nor <nowiki>https://www.domain.gc.ca</nowiki>, added to your .htaccess file.

* In its simplest form, the policy tells a browser to enable HSTS for that exact domain or subdomain, and to remember it for a given number of seconds: <code>Strict-Transport-Security: max-age=31536000;</code> (1 year)

* In its strongest and recommended form, the HSTS policy includes all subdomains, and indicates a willingness to be “preloaded” into browsers, pre-empting the need to visit via unsecure connection first:<code>Strict-Transport-Security: max-age=31536000; includeSubDomains; preload</code>

Line 57: Line 58:

===Additional References===

+

# [https://github.com/cisagov/pshtt#hsts CISAGOV-pshtt (Github)] - fully explains HSTS measurement by domain-scan

# [https://tools.ietf.org/html/rfc6797 HSTS Spec (IETF)]

# [https://mozilla.github.io/server-side-tls/ssl-config-generator/ Mozilla Configuration Generator]

Tim.allardyce

263

edits

Changes

GC HTTPS HSTS (view source)

Revision as of 16:01, 4 November 2019