This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthor

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Page revision history

Version Date Modified Size Author Changes ... Change note

Page References

Incoming links Outgoing links
Strict-Transport-Security
Strict-Transport-Security

Version management

Difference between version and

At line 1 added 38 lines
!!! Overview [1] [2]
[{$pagename}] is the [HTTP] response [HTTP Header Field] from the [Server] to the [User-agent] for [HTTP Strict Transport Security] Policy. ([RFC 6797])[{$pagename}] is one attempt reduce the [Public Key Infrastructure Weaknesses] [Attack Surface]
!! [{$pagename}] [Examples] [1]
%%prettify
{{{
Strict-Transport-Security: max-age=<expire-time>
Strict-Transport-Security: max-age=<expire-time>; includeSubDomains
Strict-Transport-Security: max-age=<expire-time>; preload
}}}
/%! Directives
* max-age=<expire-time> - The time, in seconds, that the [browser] should remember that a site is only to be accessed using [HTTPS].
* includeSubDomains - [OPTIONAL] - If this optional parameter is specified, this rule applies to all of the site's subdomains as well.
* preload - [OPTIONAL] - See Preloading Strict Transport Security for details. __NOT part of the specification__. The preload directive is [browser] dependent
!! [{$pagename}] [Browser]/[User-agent]
When a [Website] is accessed using [HTTPS] and it returns the [{$pagename}] header, the [browser] records this information, so that future attempts to load the site using [HTTP] will automatically use [HTTPS] instead.
When the [Expiration Date] specified by the [{$pagename}] header elapses, the next attempt to load the site via [HTTP] will proceed as normal instead of automatically using [HTTPS].
Whenever the [{$pagename}] header is delivered to the [browser], it will update the [Expiration Date] for that [Website], so sites can refresh this information and prevent the timeout from expiring.
Should it be necessary to __disable__ [{$pagename}], setting the max-age to 0 (over a [HTTPS] connection) will immediately expire the [{$pagename}] header, allowing access via [HTTP].!! Preloading [{$pagename}]
[Google] maintains an [HSTS] preload service. By following the guidelines and successfully submitting your domain, [browsers] will never connect to your domain using an insecure connection. While the service is hosted by [Google], all browsers have stated an intent to use (or actually started using) the preload list. However, it is not part of the [HSTS] [specification] and should not be treated as official.
* Information regarding the [HSTS] preload list in Chrome :
** The List: [https://www.chromium.org/hsts|https://www.chromium.org/hsts|target='_blank']
** Add a [website] that is __hardcoded into [Chrome] as being [HTTPS] only __can be submitted it at [https://hstspreload.org|https://hstspreload.org|target='_blank']
* Consultation of the [Firefox] [HSTS] preload list : [nsSTSPreloadList.inc|https://dxr.mozilla.org/comm-central/source/mozilla/security/manager/ssl/nsSTSPreloadList.inc|target='_blank']
** This is a list that is used by [Mozilla]'s [Network Security Services] as sites that permanently use [HTTPS]!! [Domain Name System] _NOT_ [IP Address]
[{$pagename}] Hosts are identified only via domain names -- explicit IP address identification of all forms is excluded.
[RFC 6797] Appendix A explicitly exclude [IP Address]es
!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [Strict-Transport-Security|https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security|target='_blank'] - based on information obtained 2018-05-12-
* [#2] - [HTTP_Strict_Transport_Security|Wikipedia:HTTP_Strict_Transport_Security|target='_blank'] - based on information obtained 2018-07-31-
This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthorTop