Before the invention of HSTS security policy, if a user didn't specify the protocol in the URL, were all the initial requests sent over HTTP by default for every website?
Asked
Active
Viewed 80 times
1 Answers
0
FIrst request is made over HTTP then the site redirects you to the HTTPS website.
Check out this post
It says it in an example of how sites used to work:
More specifically, these are the steps for logging into the bank’s site:
- You type “www.mybank.com” into the address bar and hit enter.
- The browser assumes “www.mybank.com” should be requested over HTTP by default, so the initial request is unencrypted.
- The server at “http://www.mybank.com” responds with an HTTP redirect to “https://www.mybank.com”
- The secure connection is established, and a login page is served via HTTPS.
- You enter your password and do your banking.
Khalid
- 140
- 6
-
Is this only when HSTS is not implemented on websites? – user241274 Aug 16 '20 at 19:16
-
This what they used to do before HSTS, if the website doesn't redirect you to HTTPS then you will remain on the HTTP website. I think HSTS has to be initiated by the browser and implemented in the browser as well – Khalid Aug 16 '20 at 19:55