Stack Overflow
Stack Overflow

Questions tagged [hsts]

HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents are to interact with it using only secure HTTPS connections.

HSTS is based on research done by Adam Barth and Colin Jackson on the ForceHTTPS protocol starting in 2008, which evolved into the ForceTLS protocol and finally the HSTS protocol.

References

326 questions
5
votes
1 answer

Fix broken link tracking due to HSTS on subdomain?

So, almost a year ago, I setup HSTS on my site and submitted it to Google's preload list. Now, I have a problem because I whitelabeled my sendgrid link tracking, which relies on a cname for a subdomain of my site. So, those links fail and get a…
David
  • 1,175
  • 1
  • 16
  • 29
5
votes
1 answer

HSTS bypass with sslstrip+ & dns2proxy

I am trying to understand how to bypass HSTS protection. I've read about tools by LeonardoNve ( https://github.com/LeonardoNve/sslstrip2 and https://github.com/LeonardoNve/dns2proxy ). But I quite don't get it. If the client is requesting for the…
Nikkolasg
  • 444
  • 4
  • 18
4
votes
2 answers

Disable website redirection to HTTPS on Chrome

I have a domain http://radiotn.com that is redirecting to HTTPS on chrome only. I want to disable this redirection and run my website on HTTP because it contains external radio streamings that run on HTTP The website doesn't redirect on Chrome…
mohamed
  • 173
  • 2
  • 2
  • 14
4
votes
1 answer

HSTS preload Meaning

In MDN HTTP Strict Transport Security (HSTS), it has an example of HSTS settings as below Strict-Transport-Security: max-age=63072000; includeSubDomains; preload where I can find the corresponding mean of max-age and includeSubDomains in RFC 6979,…
CHANist
  • 1,302
  • 11
  • 36
4
votes
1 answer

Spring Boot: Tomcat redirects to HTTPS 8443, no matter which HTTPS port I specify

I use a fairly standard method of redirecting Spring Boot's embedded Tomcat from HTTP to HTTPS, which repeates in a number of tutorials. The method works perfectly for the ports HTTP 8080 and HTTPS 8443, which also repeat as examples in these…
scriptfoo
  • 476
  • 5
  • 17
4
votes
1 answer

HSTS Displays Disabled even though the header is present

My company is using Tenable to identify security vulnerabilities. Missing HSTS was identified recently. Our server is using IIS 10. I've added the HSTS header as outlined in multiple blogs, and questions here on SO. My root web.config looks like…
rogerdeuce
  • 1,471
  • 6
  • 31
  • 48
4
votes
1 answer

How can I prevent Electron's Chromium from forcing HTTPS on fetch requests?

From the Electron renderer, I am accessing a local GraphQL endpoint served by a Django instance on my computer, which I'd like to do over HTTP, not HTTPS. But Electron's Chromium seems to intercept my fetch request and preemptively return a 307…
kaxline
  • 63
  • 6
4
votes
2 answers

How to use STS headers with Traefik when using Docker

This is an issue I have been fighting with for days, but I could not find any help on stackoverflow, not even close to it. I hope to help people with similar issues in the future. Any elaboration on this question/answer is very much welcome. I have…
Kenny
  • 571
  • 5
  • 18
4
votes
1 answer

Self-signed *.dev cert untrusted using Firefox 59 on Ubuntu

I am using Firefox 59.0.1 on Ubuntu and I am seeing the following error when accessing my development environment which is behind a self-signed SSL cert. Your connection is not secure The owner of crmpicco.dev has configured their website…
crmpicco
  • 16,605
  • 26
  • 134
  • 210
4
votes
1 answer

bypassing HSTS error gives 'file not found'

I booted my local vagrant folder today and my symfony project gave a 'hsts error', you can bypass this by typing badidea. After I typed badidea it directs me to a page that says 'file not found', any ideas on how I can get my local symfony project…
Arne Banck
  • 300
  • 2
  • 12
4
votes
1 answer

Local virtual hosts show Privacy Error on Chrome due to HSTS

I have created several virtual hosts for my development processes. They were working just fine till yesterday. But in my chrome app, today they stopped working. Chrome shows: NET::ERR_CERT_AUTHORITY_INVALID All my vhosts end with .dev. I changed…
D. Coder
  • 57
  • 1
  • 9
4
votes
5 answers

Prevent http page from redirecting to https page

I have a website (userbob.com) that normally serves all pages as https. However, I am trying to have one subdirectory (userbob.com/tools/) always serve content as http. Currently, it seems like Chrome's HSTS feature (which I don't understand how…
John Weidner
  • 2,055
  • 3
  • 18
  • 31
4
votes
0 answers

How to Fix : its security certificate is from [missing_subjectAltName]

Today I've stumbled onto a problem : "This server could not prove that it is" MY_SERVER_NAME "its security certificate is from [missing_subjectAltName]" This might have happened to you recently as well. Basically your SSL Certificate was not…
aneth101
  • 509
  • 5
  • 9
4
votes
0 answers

How can I disable HSTS AND force redirect to http?

I just recently built a new site on an old domain name for a client. Apparently at some point in the past someone enabled HSTS on the domain, so some people were getting "Your connection is not private" errors when accessing it. To get around this I…
Mako
  • 161
  • 2
  • 12
4
votes
3 answers

Adding HSTS headers in app.yaml (Google App Engine)

I have the following handlers section in my app.yaml: handlers: - url: /(robots\.txt|sitemap\.xml) static_files: \1 upload: (robots\.txt|sitemap\.xml) secure: always http_headers: Strict-Transport-Security: 'max-age=63072000;…
hjpotter92
  • 78,589
  • 36
  • 144
  • 183
1 2
3
21 22