Upgrade to Pro — share decks privately, control downloads, hide ads and more …

HTTP Strict Transport Security

HTTP Strict Transport Security

HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL[1]). HSTS is an IETF standards track protocol and is specified in RFC 6797.

The HSTS Policy[2] is communicated by the server to the user agent via a HTTP response header field named "Strict-Transport-Security". HSTS Policy specifies a period of time during which the user agent shall access the server in only secure fashion.

Description source: Wikipedia

Abraham Martin

July 25, 2014

More Decks by Abraham Martin

Other Decks in Programming


  1. Browser Man in the middle http://bank.com …<a href=“https://benk.com/login.html”>… https://benk.com/login.html” Certificate

    is valid!… …for benk.com Also, an attacker could get the cookies/session HTTP HTTPS
  2. You could think… Ok, I’m secure because I have my

    web server configured to redirect all http calls to https.
  3. Browser Man in the middle http://bank.com HTTP 302 Redirect to

    https://benk.com https://benk.com/ Certificate is valid!… …for benk.com HTTP HTTPS
  4. Browser http://bank.com HTTP 302 Redirect to https://bank.com https://bank.com/ HTTP HTTPS

    Header: Strict-Transport-Security Browser saves this sites as STS Bank web server