Upgrade to Pro — share decks privately, control downloads, hide ads and more …

HTTP Strict Transport Security

Abraham Martin
July 25, 2014
Programming
2
260

HTTP Strict Transport Security

HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL[1]). HSTS is an IETF standards track protocol and is specified in RFC 6797.

The HSTS Policy[2] is communicated by the server to the user agent via a HTTP response header field named "Strict-Transport-Security". HSTS Policy specifies a period of time during which the user agent shall access the server in only secure fashion.

Description source: Wikipedia

Abraham Martin

July 25, 2014
Tweet

More Decks by Abraham Martin

See All by Abraham Martin
Architecture of a cloud hosting service using python technologies
abrahammartin
1
290

Other Decks in Programming

See All in Programming
12年前の『型システム入門』翻訳の思い出話
mame
11
1.2k
開発部に不満を持っていたCSがエンジニアにジョブチェンしてわかった「勝手に諦めない」ことの大切さ
sakuraikotone
28
16k
Exploring the Gradually Lost Technical Skills in the Cloud Native Era
hwchiu
2
3.9k
Google's Recipe for Scaling (Web) Security – LocoMocoSec 2024
lweichselbaum
0
170
リハビリmruby
kishima
1
160
How to use Macrobenchmark
veronikapj
0
160
今こそ始める、CDKコンストラクトライブラリ開発 ― 入門から実践まで
tmokmss
1
930
Findy - エンジニア向け会社紹介 / Findy Letter for Engineers
findyinc
2
81k
CSC307 Lecture 08
javiergs
PRO
0
330
Product Management LT会_クアンド新家
shinshin
0
210
日付と正規化
megmogmog1965
0
140
Rubyのパフォーマンスプロファイリングの改善 / Enhancing performance profiling for Ruby
osyoyu
1
410

Featured

See All Featured
For a Future-Friendly Web
brad_frost
173
9.2k
The Power of CSS Pseudo Elements
geoffreycrofte
64
5.2k
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
13
430
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
78
15k
How GitHub (no longer) Works
holman
305
140k
Scaling GitHub
holman
458
140k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
360
22k
Building a Scalable Design System with Sketch
lauravandoore
458
32k
Thoughts on Productivity
jonyablonski
64
4.1k
Visualization
eitanlees
139
14k
How STYLIGHT went responsive
nonsquared
93
5k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
90
47k

Transcript

  1. HSTS Abraham Martin (@abraham_martinc) University of Cambridge

  2. HTTP Strict Transport Security RFC 6797 November 2012

  3. Browser Bank web server http://bank.com …<a href=“https://bank.com/login.html”>… https://bank.com/login.html” Cookies! (Session)

    HTTP HTTPS

  4. Browser Man in the middle http://bank.com …<a href=“https://benk.com/login.html”>… https://benk.com/login.html” Certificate

    is valid!… …for benk.com Also, an attacker could get the cookies/session HTTP HTTPS

  5. You could think… Ok, I’m secure because I have my

    web server configured to redirect all http calls to https.

  6. Browser http://bank.com HTTP 302 Redirect to https://bank.com https://bank.com/ HTTP HTTPS

    Bank web server

  7. Configuring your web server to always redirect to HTTPS does

    NOT solves the problem

  8. Browser Man in the middle http://bank.com HTTP 302 Redirect to

    https://benk.com https://benk.com/ Certificate is valid!… …for benk.com HTTP HTTPS

  9. HTTP Strict Transport Security to the rescue

  10. Browser http://bank.com …<a href=“https://bank.com/login.html”>… https://bank.com/login.html” Header: Strict-Transport-Security Browser saves this

    sites as STS HTTP HTTPS Bank web server

  11. Browser http://bank.com HTTP 302 Redirect to https://bank.com https://bank.com/ HTTP HTTPS

    Header: Strict-Transport-Security Browser saves this sites as STS Bank web server

  12. Next time the user writes in their browser http://bank.com or

    bank.com

  13. Browser http://bank.com https://bank.com Impossible man in the middle attack HTTP

    HTTPS Bank web server

  14. Header always set Strict-Transport-Security "max- age=63072000; includeSubDomains"

  15. http://caniuse.com/