263
edits
Changes
→HTTP Strict Transport Security (HSTS)
* Removes the ability for users to click through warnings about invalid certificates
* Removes the ability for users to click through warnings about invalid certificates
<br>
<br>
'''Dynamic HSTS''': Dynamic means that the browser has been instructed to enable HSTS by an HTTP response header (served over TLS) similar to the following:
<br><br>
<code>Strict-Transport-Security: max-age=157680000; includeSubDomains;</code>
<br><br>
This is vulnerable to an attack whereby the very first time the browser requests the domain with http:// (not https://) an adversary intercepts the communication.
<br><br>
'''Static HSTS''': In order to overcome this weakness we have the static mode which allows for hard-coding HSTS records directly into the browser's source. The header is changed to indicate the administrator's intention - note the inclusion of preload at the end:
<br><br>
<code>Strict-Transport-Security: max-age=157680000; includeSubDomains; preload</code>
<br><br>
In its simplest form, the policy tells a browser to enable HSTS for that exact domain or subdomain, and to remember it for a given number of seconds: <code>Strict-Transport-Security: max-age=31536000;</code> (1 year)
In its simplest form, the policy tells a browser to enable HSTS for that exact domain or subdomain, and to remember it for a given number of seconds: <code>Strict-Transport-Security: max-age=31536000;</code> (1 year)
<br><br>
<br><br>