Stack Overflow
Stack Overflow

Questions tagged [hsts]

HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents are to interact with it using only secure HTTPS connections.

HSTS is based on research done by Adam Barth and Colin Jackson on the ForceHTTPS protocol starting in 2008, which evolved into the ForceTLS protocol and finally the HSTS protocol.

References

326 questions
0
votes
1 answer

What key do browsers use to encrypt HTTPS requests to preloaded HSTS sites?

As far as I know, HTTPS requests are regular HTTP requests encrypted with the public key provided by the server during the initial handshake. I have been reading about HSTS but have not been able to find anything related to the public key of sites…
ale11
  • 123
  • 7
0
votes
1 answer

Set HSTS Header on WebSphere Application Server

An application can use HSTS by setting the Strict-Transport-Security header with the appropriate values. Once a browser that supports HSTS receives this header, it will force all future connections to that domain to take place over or ridirect to…
Dev Fh
  • 586
  • 7
  • 18
0
votes
1 answer

HSTS and SslStrip

I am creating a workshop with Sslstrip and ettercap. With everything setup fine (I think) the usual case works: A page without Hsts will be 'redirected' to http. However, popular pages like twitter and facebook use the Hsts. I expected to get the…
CookieAndPizza
  • 71
  • 3
  • 15
0
votes
1 answer

If I set up HSTS on a domain that already implements a 301 redirect, which will take precedence?

Ok, so the scenario is that we have a http domain which currently uses a 301 redirect, we want to change this domain to no longer 301 redirect, and instead to be the main domain for said website. The problem here is that 301 redirects are cached…
Sean
  • 6,389
  • 9
  • 45
  • 69
0
votes
3 answers

Set HSTS header in htaccess if already isn't present

I've set HSTS in a common .htaccess which is being used by multiple sites. Header set Strict-Transport-Security "max-age=31536000" env=HTTPS But when a site has already set HSTS header from the virtual host configuration, then there happens to be…
Tom
  • 316
  • 2
  • 9
  • 30
0
votes
0 answers

.net Core -- implement HSTS in AWS

We would like to get an A+ from SSL labs security test. Currently the lack of HSTS is keeping us from the highest score. What asp.net-core code would we use to implement HSTS on an ec2 server or elastic beanstalk environment?
BPR Admin
  • 11
  • 3
0
votes
0 answers

net::err_cert_weak_signature_algorithm visting website on MacBook

A visitor browsing our website: https://www.construct.net Is reporting they can't visit the website and are seeing this error: I can't reproduce this error - does anyone have suggestions on what might be causing this?
Tom Gullen
  • 61,249
  • 84
  • 283
  • 456
0
votes
2 answers

HSTS: Using includeSubdomains when I have no subdomains

The question is almost in the title itself. If I had an app and use includeSubdomains for the HSTS header but have no subdomains at all, is this considered good or bad?
Jim Aho
  • 9,932
  • 15
  • 56
  • 87
0
votes
1 answer

Is it possible to redirect from a non-secure to secure connection after enabling HSTS?

I recently started serving the 'strict-transport-security' header on one of my websites. A problem I hadn't anticipated is that my SSL certificate only covers mydomain.com and so if a user visits www.mydomain.com, rather than being redirected (as…
Jack Roscoe
  • 4,293
  • 10
  • 37
  • 46
0
votes
1 answer

Why does SSL Labs test say that HSTS is enabled when the header is sent over HTTP, but not when sent over HTTPS?

I'm trying to configure HSTS on my server. I've noticed that the test on SSLLabs.com will tell me that HSTS has been enabled if I send the HSTS header over the initial unencrypted HTTP connection. This, however, is in violation of the HSTS spec…
Craig Lewis
  • 3
  • 1
0
votes
1 answer

HTTP Strict Transport Security and HTML5 Application Cache

We're using the HTML5 Application Cache feature: ... When returning users navigate to this application they will already have all static files cached and the application is therefore loaded without network…
Mårten Wikström
  • 11,074
  • 5
  • 47
  • 87
0
votes
1 answer

Enable HSTS in CAS Web application

I have a CAS (Central Authentication Service) integrated web application. The default implementation of CAS webapp login (/cas/login) is not enforced with HSTS policy (Strict-Transport-Security). Except a custom authentication handler everything…
Shyam
  • 11
  • 4
0
votes
1 answer

How do I convert http to https in my Grails application REST? Basically implement HTTP Strinct Transport Security

I have used below code in filter but it doesn't work make my http to https. I am not sure if I need to register it in resources.groovy because I am little new to groovy. addHeader(uri: '/*') { before = { …
VStar
  • 1
0
votes
2 answers

Deleting Chrome HSTS for facebook.com not working

I am currently doing some debugging on my website which involves calling the facebook API. I've installed dnsmasq to work with my mac os X to redirect all request to facebook.com to 127.0.0.1 I have a echo server which will print out all the raw…
Tinker
  • 4,165
  • 6
  • 33
  • 72
0
votes
1 answer

URL Scheme Rewriting, from HTTP to HTTPS, for Specific domains, within a Browser

Is there a way to configure browser (Firefox/Chrome) such that, if it encounters an HTTP URL (clicked or entered on address bar - eg: http://abc.xyz.com/... ), it modifies it to an https URL https://abc.xyz.com/... Note that the site abc.xyz.com…
Sathya Meda
  • 35
  • 1
  • 6
1 2 3
21 22