Questions tagged [hsts]

HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents are to interact with it using only secure HTTPS connections.

HSTS is based on research done by Adam Barth and Colin Jackson on the ForceHTTPS protocol starting in 2008, which evolved into the ForceTLS protocol and finally the HSTS protocol.

References

326 questions

votes

2 answers

Running http and https from the server with differnet ports

I have multiple tomcat servers with independent configurations running in the same server at different ports. Recently converted few tomcat servers from http to https. So the strange problem is: Application 1: running at https://x.y.z.w:10001…

tomcat9 hsts

asked Oct 15 '19 at 16:04

SVGK Raju

votes

0 answers

IIS and Tomcat both need to be updated to HSTS

We have a server which runs on Tomcat and IIS. We did upgrade IIS to use HSTS adding the following parameters Strict-Transport-Security: max-age=*; includeSubdomais: preload Question: Do we have to add any parameters to Tomcat file in order to…

tomcat iis hsts

asked Jul 18 '19 at 14:13

Olena

votes

1 answer

How to examine a list of wesbites against HSTS headers?

I need to examine a list of websites to check if they support the HSTS policy or not. I grabbed their response headers. However, I am confused now because it appears that HSTS policy subscription can be done through preloaded lists and not only…

google-chrome ssl tls1.2 hsts strict-transport-security

asked Jul 09 '19 at 11:14

qbq

votes

1 answer

What is the advantage of 2-redirect HSTS instead of 1-redirect HSTS

https://hstspreload.org/ suggests that there should be 2 redirects with : http://yourdomain.com to https://yourdomain.com https://yourdomain.com to https://www.yourdomain.com I implemented the 2 redirect solution using below code in .htaccess file…

.htaccess ssl seo hsts

asked Jun 27 '19 at 22:23

shivgre

1,163
2
13
29

votes

1 answer

Traefik uses a certificate whithout chain after completing tls-alpn-01 challenge

I decided to switch from jwilder/nginx-proxy to traefik since I want to route to containers based on the URI-path which is not possible with jwilder/nginx-proxy but should be with traefik. To do so I first wanted to transform my current setup (on…

docker certificate lets-encrypt traefik hsts

asked May 30 '19 at 21:17

rominator007

1,553
1
11
22

votes

1 answer

How to Harden Apache against security vulnerabilities

We have an APache 2.4.6 version installed on Rhel 7.5 in production. The security Audit team found few vulnerabilities lately which needs to be fixed. 1.) During audit ,it is observed that connect web server is vulnerable to Slowloris…

apache configuration ddos mod-security hsts

asked May 15 '19 at 07:13

Lakshmi Pisharody

votes

1 answer

How to set the strict transport security header for jetty 9.2.25

Am trying to add strict transport security header for my jetty server 9.2.25 I have tried to add the rule to my jetty-config.xml, but it seems not working.

jetty hsts strict-transport-security

asked May 09 '19 at 08:59

Suman

votes

1 answer

hsts preload without being listed?

What is the effect of the preload directive if it is included before the site is listed? I'm hoping it just has no effect but I'm struggling to find any solid info and I'm nervous of it leading to problems.

hsts

asked May 07 '19 at 14:13

tracer tong

votes

2 answers

Production never redirect to https even api is enable for https redirect

I am working on asp.net core 2.1 API. The api is working as expected on all environment. recently we enable it for HSTS headers. so added below code in startup.cs -> ConfigureServices method services.AddHsts(options => { …

asp.net-core hsts

asked Mar 26 '19 at 13:29

Sanket

votes

0 answers

Unable to submit website with HSTS for preload

We have currently implemented HSTS into our website. However when I want to submit it on hstspreload.org I get this error: Response error: No HSTS header is present on the response. When I visit the site (Link here) I normally get HSTS response…

http ssl https http-headers hsts

asked Mar 20 '19 at 11:08

user10756951

votes

0 answers

how to add HSTS to a WebView?

I am trying to add HSTS to webview in my app, I tried editing network_security_config.xml as follows xxx.xxx.xxx

java android webview hsts

asked Mar 12 '19 at 07:48

Manoj Rana

votes

1 answer

How to make clients request over HTTPS without HSTS preload?

If I request our website using HTTP http://example.com, the reponse is 301 Moved Permanently with the Location header set to https://example.com - which, of course, is insecure due to MIM attack. Is there not a way to just repond to the browser…

https hsts

asked Jan 31 '19 at 12:21

Viktor

votes

1 answer

Are there any practical risks to enabling preloaded HSTS on greenfield (.NET Core)

Referencing this: https://hstspreload.org/ There's a bunch of stuff about making really sure that it all works before you get them to pre-load it: when testing first test with a max-age of 5 minutes, then ramp up to 1 week, & 1 month. They say if…

.net asp.net-mvc asp.net-core hsts

asked Jan 12 '19 at 09:24

Brondahl

7,402
5
45
74

votes

1 answer

HSTS on subdomain ONLY on nginx

I want to allow HSTS on SUBDOMAIN ONLY (test.example.com) on nginx and NOT ON DOMAIN, because I simply do not have any host linking to my original domain in my application (example.com), this means I only have dubdomains in my nginx configuration. I…

ubuntu nginx subdomain hsts

asked Dec 24 '18 at 16:37

Ghassan Zein

4,089
3
19
30

votes

1 answer

Disable HTTP Strict Transport Security (HSTS) if user did not accepted cookies

I need to activate HSTS on my webserver. But what should I do if the user did not allowed cookies by clicking "no" on my 'do you accept our cookies' alert? Can I theoretically disable HSTS in such cases or is it always active? I know It would not…

javascript html security cookies hsts

asked Dec 19 '18 at 09:57

Black

18,150
39
158
271

Prev 1 2 3

…

21 22 Next