Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Introducción a HSTS
Search
Boris Quiroz
April 26, 2014
Technology
0
54
Introducción a HSTS
Boris Quiroz
April 26, 2014
Tweet
Share
More Decks by Boris Quiroz
See All by Boris Quiroz
Secrets management with Vault
boris
0
58
Docker Images Best Practices
boris
0
56
Software Freedom Day 2015
boris
0
45
Code Driven Infrastructure
boris
0
68
hola mundo
boris
0
64
DevOps Tools: Chef + Vagrant
boris
0
230
Kitchen.CI
boris
0
120
Hands-on Lab
boris
0
79
Tech, Method & Philosophy for the cloud
boris
0
54
Other Decks in Technology
See All in Technology
IaC を使いたくないけどポリシー管理をどうにかしたい
kazzpapa3
1
150
米軍Platform One / Black Pearlに学ぶ 極限環境DevSecOps
jyoshise
2
530
技術広報のOKRで生み出す 開発組織への価値 〜 カンファレンス協賛を通して育む学びの文化 〜 / Creating Value for Development Organisations Through Technical Communications OKRs — Nurturing a Culture of Learning Through Conference Sponsorship —
pauli
5
520
AIと自動化がもたらす業務効率化の実例: 反社チェック等の調査・業務プロセス自動化
enpipi
0
780
.NET 10のEntity Framework Coreの新機能
htkym
0
100
ABEJA FIRST GUIDE for Software Engineers
abeja
0
3.2k
FFMとJVMの実装から学ぶJavaのインテグリティ
kazumura
0
160
TypeScript 6.0で非推奨化されるオプションたち
uhyo
15
4.9k
【M3】攻めのセキュリティの実践!プロアクティブなセキュリティ対策の実践事例
axelmizu
0
180
ECS組み込みのBlue/Greenデプロイを動かしてELB側の動きを観察してみる
yuki_ink
3
410
スタートアップの事業成長を支えるアーキテクチャとエンジニアリング
doragt
1
7.1k
膨大なデータをどうさばく? Java × MQで作るPub/Subアーキテクチャ
zenta
0
120
Featured
See All Featured
Learning to Love Humans: Emotional Interface Design
aarron
274
41k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
31
3k
GraphQLとの向き合い方2022年版
quramy
49
14k
How GitHub (no longer) Works
holman
315
140k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
140
34k
Art, The Web, and Tiny UX
lynnandtonic
303
21k
The Illustrated Children's Guide to Kubernetes
chrisshort
51
51k
Balancing Empowerment & Direction
lara
5
760
KATA
mclloyd
PRO
32
15k
Side Projects
sachag
455
43k
StorybookのUI Testing Handbookを読んだ
zakiyama
31
6.4k
Fireside Chat
paigeccino
41
3.7k
Transcript
HSTS WTF?
None
HTTP Strict Transport Security
Asegurar que la comunicación no encriptada no es permitida en
nuestro sitio para mitigar ataques como por ejemplo SSL-stripping.
None
¡BIEN!
None
¡MAL!
1. El usuario va a preyproject.com 2. El browser agregará
el http:// y hará el request a http://preyproject.com 3. El server responderá con un 301 a https://preyproject.com 4. El browser hace el request a https://preyproject.com HSTS disabled
HSTS enabled 1. El usuario va a preyproject.com 2. HSTS
convertirá automáticamente el link de HTTP a HTTPS
Compatibilidad Chrome, Firefox, Opera desde hace 3 versiones. Safari 7.0
IE 12+
El header Strict-Transport-Security: max-age:31536000; includeSubdomains
None
Nginx add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; Rails config.force_ssl = true La
config
PRELOAD LISTS
¿Preguntas? Boris Quiroz SRE Preyproject.com
boris
kazzpapa3
jyoshise
pauli
.jpeg){kind=avatar}
enpipi
htkym
abeja
kazumura
uhyo
axelmizu
yuki_ink
doragt
zenta
aarron
danielanewman
quramy
holman
eileencodes
lynnandtonic
chrisshort
lara
mclloyd
sachag
zakiyama
paigeccino
