Highest Voted 'hsts' Questions - IT Security Stack Exchange

112

votes

6 answers

Why should I offer HTTP in addition to HTTPS?

I am setting up a new webserver. In addition to TLS/HTTPS, I'm considering implementing Strict-Transport-Security and other HTTPS-enforcement mechanisms. These all seem to be based on the assumption that I am serving http://www.example.com in…

tls http hsts

asked Apr 18 '17 at 13:00

lofidevops

3,550
6
23
32

69

votes

6 answers

What's the difference between using HSTS and doing a 301 redirection?

If I already have done a 301 redirection from all the HTTP inner pages to HTTPS, why should I use HSTS as well?

tls http hsts

asked Jul 05 '16 at 22:12

Franzech Domâs

975
1
8
10

60

votes

4 answers

Can HSTS be disabled in Firefox?

For pentesting/VA, it is, of course, imperative to always be able to see the HTTP site of a target. If present, HSTS conflicts with this need. Without using a proxy to address the problem (e.g. Burp), is it possible to natively disable HSTS in…

firefox hsts

asked Oct 09 '15 at 11:41

Cheekysoft

1,267
1
9
12

38

votes

4 answers

HSTS on a subdomain with includeSubdomains

Suppose that my site is located at foo.example.com and I send the following HTTP header when visitors accessing my site using HTTPS: Strict-Transport-Security: max-age=31536000; includeSubDomains Would the HSTS policy have any effect on domains…

hsts sub-domain

asked Feb 02 '16 at 08:09

rink.attendant.6

2,227
4
22
33

35

votes

3 answers

How can I see which sites have set the HSTS flag in my browser?

My question is about Firefox and Chrome. Is there a possibility to see which sites have set the HSTS flag in my browser?

web-browser hsts

asked Jul 02 '15 at 12:06

HorstKevin

1,328
2
14
27

34

votes

6 answers

Can a secure cookie be set from an insecure HTTP connection? If so, why is it allowed?

With reference to some security paper I read, I found out that a cookie with the secure flag set can only be sent by the client over connections that are using HTTPS, not HTTP, but the cookie itself can be set from the server with a secure flag from…

tls http cookies hsts sslstrip

asked Oct 26 '16 at 10:58

mfs

531
1
6
9

32

votes

1 answer

"google.com" is not HSTS protected?

Issue: Oftentimes people enter google.com directly in the browser's address bar without including either the http:// or https:// prefixes. Using Chrome DevTools on a fresh incognito session, I ran the following…

tls http chrome hsts

asked Oct 06 '20 at 20:55

el_tigro

694
8
14

32

votes

2 answers

HSTS extra security over HTTPS

Is HSTS good to use even if my servers are configured to use HTTPS (when HTTP is used, the rewrite rules in Apache turns it into HTTPS)? Also should HSTS be used even on resources like CSS and images, or just when the content type is text/html?

tls apache hsts

asked Jul 16 '12 at 15:51

Novice User

2,088
7
26
38

26

votes

4 answers

How can a web application protect users when the browser doesn't support HSTS?

HTTP Strict Transport Security (HSTS) is a very useful feature at preventing OWASP a9 violations and attacks like SSLStrip which try and prevent the client from making a secure connection. This technology however isn't in older versions of web…

tls man-in-the-middle hsts internet-explorer

asked Nov 06 '12 at 16:22

rook

46,916
10
92
181

25

votes

2 answers

Do I have a current MITM?

I apologise for to terseness of this question; I have an issue. Google.co.uk is failing its HSTS on my browsers. Is this an issue with google.co.uk or is this just me? Is someone middle-manning my internet connection? While I can find plenty of…

hsts

asked Jun 12 '17 at 19:15

Martin

1,057
1
11
18

23

votes

3 answers

Should I activate HSTS with Let’s Encrypt Certificates?

I recently set up a web server that—among others—serves ownCloud to some of my users. I got a Let’s Encrypt SSL Certificate because I didn’t want to use a self-signed certificate like the one ownCloud uses out of the box. I configured Apache to…

hsts letsencrypt

asked Dec 09 '16 at 06:51

architekt

986
1
7
18

22

votes

2 answers

Is there any point in having the HSTS header enabled when using HTTP/2?

As a protection against attacks such as SSLstrip, the HSTS header prevents an attacker from downgrading a connection from HTTPS to HTTP, as long as the attributes of the header are properly configured. However, HTTP/2, whilst not making encryption…

tls hsts sslstrip http2

asked Feb 18 '20 at 13:55

user96649

363
2
8

21

votes

4 answers

Why does Firefox claim that my connection to Google is insecure?

I keep receiving this message whenever I open any site from Google: My Firefox is up-to-date, and so my Windows 8.1. Since I don't know much about HSTS, I don't know what's going on, and obviously, I can't google it. Using a VPN doesn't solve the…

tls http google firefox hsts

asked Apr 06 '16 at 07:36

Eibo

2,485
3
19
32

20

votes

2 answers

Why does rfc6797 say "An HSTS Host MUST NOT include the STS header field in HTTP responses over non-secure transport."

Why does the RFC prohibit the server from sending HSTS to the client over HTTP? I can see that if a HTTP client responds to that unsecure HTTP response it might cause that site to be inaccessible to the client, but I don't see any reason for the…

tls certificates web-browser threat-mitigation hsts

asked Mar 27 '15 at 12:41

makerofthings7

50,090
54
250
536

20

votes

3 answers

Checking domains HSTS status

The Google Chrome browser offers a quick way to check a domain's HSTS (HTTP Strict Transport Security) status via the page chrome://net-internals/#hsts (section Query domain). The query result looks e.g. like this: Found: domain:…

chrome hsts

asked Oct 03 '14 at 09:22

Marek Puchalski

383
1
3
9

Questions tagged [hsts]