Questions tagged [hsts]

HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents are to interact with it using only secure HTTPS connections.

HSTS is based on research done by Adam Barth and Colin Jackson on the ForceHTTPS protocol starting in 2008, which evolved into the ForceTLS protocol and finally the HSTS protocol.

References

326 questions

votes

2 answers

HSTS Preload Submission

I want to pass all tests for HSTS Preload. I currently have 2 errors, that I need to solve: First: `http://example.com` (HTTP) should immediately redirect to `https://example.com` (HTTPS) before adding the www subdomain. Right now, the first…

.htaccess hsts

asked Aug 10 '16 at 18:52

JGeer

1,768
1
31
75

votes

2 answers

HPKP headers not honored by google chrome 52?

My Apache https server has returned the following header as a response for a request to https://lab20.example.com: Public-Key-Pins:pin-sha256="klO23nT2ehFDXCfx3eHTDRESMz3asj1muO+4aIdjiuY="; pin-sha256="633lt352PKRXbOwf4xSEa1M517scpD3l5f79xMD9r9Q=";…

apache hsts

asked Aug 02 '16 at 14:46

user2913139

votes

1 answer

HTTPS redirect for static file in appengine java

Due to HSTS requirement, static files serving from Appengine Java must be served HTTPS only (i.,e., redirect from HTTP to HTTPS). HTTPS only is possible in web.xml descriptor, but appengine-web.xml does not support it. Is there any way?

java google-app-engine hsts

asked Jul 21 '16 at 08:19

Kyaw Tun

12,447
10
56
83

votes

1 answer

Is Strict Transport Security (HSTS) supported by libcurl?

AFAIK HSTS is a server side property that tells the browser that is should only work with https request with this server (correct me please if I'm wrong). HSTS will not help in cases of redirecting from http to https, in this time frame of…

curl libcurl hsts

asked Jul 10 '16 at 13:44

15412s

3,298
5
28
38

votes

1 answer

Ignore HSTS in Chrome app/extension

I'm writing a Chrome packaged app for diagnosing web services. I want to be able to send a GET request to a URL and look at the headers and data in the response. My problem is if a users visits a site that has the HSTS header set before using my…

javascript google-chrome ssl google-chrome-extension hsts

asked Jul 09 '16 at 06:16

hvrpn

votes

1 answer

How to prevent HSTS?

I have a sdk and want to support both http and https, but browsers always force to https. I know that is good feature of browser but many websites using http could not use my sdk. Does anyone know how I can prevent HSTS or a solution for this?

browser https sdk hsts

asked Jun 16 '16 at 11:52

thehuyvb

votes

1 answer

Hsts in firefox and chrome

The web browsers store sts header but I dont know exactly where. Where does chrome and firefox store sts header? And can a browser turn off the hsts protocol?

google-chrome firefox hsts

asked Mar 08 '16 at 20:25

Peter11

votes

1 answer

Does HSTS upgrade all resources to HTTPS irrespective to the domain

I am adding the HTTP Strict Transport Security header to a website. Does it prevent loading of resources over HTTP that are not in same domain?

http hsts

asked Feb 12 '16 at 22:15

user20110

votes

2 answers

Adding HSTS http headers on domain root during redirect to www subdomain in web.config

I have an asp.net web application which is indexed by the search engines on the sub-domain "www". I don't really want to change that: requests to the root domain are all set up with a permanent redirect to the www version and that's all fine. I've…

asp.net redirect iis ssl hsts

asked Jan 26 '16 at 12:33

Nathan

6,095
2
35
61

votes

1 answer

HSTS and access to subdomain with Javascript

Some weeks ago I have moved a homepage to https only and also enabled HSTS. On one page I have some JavaScript code that got its content from a subdomain via a http-request. Before https was enabled this worked well. I also changed the http protocol…

javascript https hsts

asked Jan 13 '16 at 16:47

Teddy

votes

2 answers

Putting hsts headers in apache using htaccess or httpd.conf

I have purchased a ssl certificate recently and have redirected all my traffic on secured https way but i want to get included in hsts preload list. For that reason i want to include hsts header. Is there any way using .htaccess or httpd.conf or if…

apache .htaccess security hsts

asked Sep 19 '15 at 10:35

Punit Makwana

votes

2 answers

Secure first HTTP request

I'm building Web site, and wondering how I can assure that it is secure if first request is made by HTTP. HSTS do this but partially. I think not opening HTTP port solve this problem. But is this standard? My site is B to B, so SEO is not problem.…

security http https hsts

asked Sep 15 '15 at 23:14

pandora2000

votes

1 answer

How can i add hsts for a mixed website with http and https?

Webserver using is nginx Suppose i have a website http://www.test.com. and then there is https://test.com?market. Iam redirecting all https to 301 http for test.com Suppose i want to enable https strict transport security header for url .I can…

http nginx hsts winginx

asked Aug 15 '15 at 19:29

melvil james

votes

1 answer

Set and check STS Header is present

I have (hopefully) set apache to issue an STS header for all HTTPS traffic as described in How to set HSTS header from .htaccess only on HTTPS I was hoping to be able to verify that this was working by looking at the response header in chrome dev…

apache .htaccess ssl hsts

asked Jun 26 '15 at 09:16

jx12345

1,650
2
22
40

votes

1 answer

HSTS: Should I force user to use HTTPS on load balance or web server?

My environment : 1.) 1 load balance server (nginx) 2.) 2 web servers (express.js running on node.js) 3.) 1 database server Hello, I am trying to force my user to use https. I look through many tutorials on how to implement https in…

node.js express nginx https hsts

asked Jun 07 '15 at 16:32

pupuupup

Prev 1 2 3

…

22 Next