Questions tagged [hsts]

HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents are to interact with it using only secure HTTPS connections.

HSTS is based on research done by Adam Barth and Colin Jackson on the ForceHTTPS protocol starting in 2008, which evolved into the ForceTLS protocol and finally the HSTS protocol.

References

326 questions

votes

1 answer

IE Edge not honoring Lambda@Edge HSTS

I have a React app hosted in AWS S3. To help secure it, I have implemented Lambda@Edge following the AWS guide: https://aws.amazon.com/blogs/networking-and-content-delivery/adding-http-security-headers-using-lambdaedge-and-amazon-cloudfront/ The…

asked Sep 28 '20 at 23:37

react-dev

votes

2 answers

nginx SSL and hsts questions

I have an Nginx with SSL already without HSTS. But in the backend, few services are not https. Is there any potential risk for the enable the HSTS? I am worried about the HSTS header will break the internal route when the HSTS header exists, force…

ssl hsts

asked Aug 31 '20 at 08:16

Izek Chen

votes

0 answers

WinServer 2019 Standard Https Issue

Recently installed Windows Server 2019 Standard (legit and activated) and migrated my mail server over to this server. I noticed after I was done that I cannot browse the web if the website uses https. Below I attached pictures and I have tried to…

windows google-chrome https server hsts

asked Aug 06 '20 at 15:28

Shiphted

votes

1 answer

Do applications have to explicitly implement action to HHTPS HSTS?

I found that most modern browsers support HSTS and switch over to HTTPS if they find it in the HTTP/HTTPS headers for the domain. Browsers would implemented appropriate response to teh HSTS header. What about client applications that are making…

python-requests apache-commons-httpclient hsts

asked Jul 17 '20 at 13:30

user2512997

votes

0 answers

Fails with No HSTS Header

I'm trying to add HSTS to my site. I added the line for it and then checked it here but it fails with "No HSTS header". The site is configured to use www and in researching this failure, it seems I have to redirect to non-www first. I already had…

redirect hsts

asked Jun 03 '20 at 16:15

user3052443

votes

1 answer

HSTS enabled site and Penetration test

I setup our .NET web application so that it has HSTS enabled. I verfied this by going to https://gf.dev/hsts-test and put in our URL and it shows that HSTS protection is there. The result shows: Strict-Transport-Security max-age=31536000;…

c# .net security hsts

asked May 14 '20 at 19:03

Fylix

2,551
6
45
72

votes

1 answer

Implement HTTP Strict Transport Security (HSTS) on VisualSVN

Our cycber security have recommended the introduction of HTTP Strict-Transport-Security response headers, but cannot see anywhere in VisualSVN (or the configuration of it) to do this. This is for VisualSVN Enterprise 4.2.2 (using Apache 1.10.6)…

visualsvn-server hsts

asked Apr 24 '20 at 15:00

Sean

votes

0 answers

Java Spring Strict-Transport-Security Overridden When Deployed

I'm new to Java Spring security. I've been able to successfully add some HTTP headers and deploy them via the code I have below. Once the basic HTTP headers were working, I also added headers for Strict-Transport-Security. It seems to work…

java spring https hsts

asked Jan 31 '20 at 18:56

Rob Horton

votes

1 answer

Will setting HstsOptions.IncludeSubDomains from an app hosted in a sub domain, affect other sub domains?

I've got an ASP.NET Core 3 application, which is hosted under a sub-domain. If I set HstsOptions.IncludeSubDomains to true, will that make changes to other domains/apps hosted to the main domain, or it will be sub-domains on even lower level (for…

c# asp.net-core dns subdomain hsts

asked Jan 30 '20 at 15:17

SpiritBob

2,355
3
24
62

votes

0 answers

How to enable HSTS for asp.net project on IIS 8.5

I have been looking for how to enable HSTS on ASP.NET application. Finally found a way but I'm a bit confused with the value of tags. Please prefer the XML below, does the values in parentheses indicate that I should replace it with my value or are…

asp.net webforms web-config iis-8.5 hsts

asked Jan 23 '20 at 10:42

Amir

votes

1 answer

Web page security - http, https, hsts

I have web server IIS, where I have direct access to page like (page.com), so thats the reason why I have allowed HTTP (port 80) and then I am using HTTPS (port 443). When user enters the page on port 80 (page.com), he will be redirected to HTTPS…

http security https hsts

asked Jan 13 '20 at 18:48

Sirdhemond

votes

1 answer

Are Cloudflare's warnings about HSTS overblown?

The warnings Cloudflare presents me with about enabling HSTS are both lengthy and full of dire warnings describing a few situations in which my users will not be able to visit my site for up to 6 months (i.e. forever). example here It seems to me…

cloudflare hsts

asked Jan 10 '20 at 21:29

jsharpe

2,546
3
26
42

votes

1 answer

Use app.usehsts() in the case of a proxy server apache

In case I use an apache proxy server for my ASP Net Core 2.2 app, what actually happens when I use app. UseHsTs();?

asp.net-core reverse-proxy hsts

asked Dec 11 '19 at 10:24

AED

votes

1 answer

Adding HTST header in my internal website doesn't work as expected

I have created a website where I am trying to add the HSTS security header via httpd.conf Header always set Strict-Transport-Security 'max-age=4000; includeSubDomains' Adding the above code, able to see the…

google-chrome security httpd.conf hsts

asked Oct 21 '19 at 11:07

ragul rangarajan

votes

1 answer

Did Not Connect: Potential Security Issue

Not able to continue visiting my local development website. Because browsers are blocking the site and common problem is HSTS. Unable to figure out what's gone wrong. Recently I setup new system for web development. Everything was working well since…

ubuntu nginx https ssl-certificate hsts

asked Oct 18 '19 at 05:34

Vin.AI

2,369
2
19
40

Prev 1 2 3

…

21 22 Next