HackDig : Dig high-quality web security articles for hacker

HTTP Strict Transport Security (HSTS) Preload Lists

2015-07-07 17:20

There is a growing wave of websites and other web applications that are now moving to be TSL-only (transport layer security only, aka SSL-only).

Partial screen capture of Chrome's preload list with the entry for clerkendweller.uk highlighted

Apart from the web site being browsed using "https", the server can also send a policy instruction in the form of a HTTP Strict Transport Security (HSTS) header. There are of course considerations for HSTS deployment, not least the effect on other sub-domains.

Since the browser needs to make at least one request before it can read this HSTS policy, the user is still vulnerable to the use of a first non-TLS connection.

However, if a web site is TLS-only and has the HSTS header, with an expiry of at least eighteen weeks (10886400 seconds), has the "includeSubdomains" and "preload" attributes set, then the information can be hard coded into certain web browsers such that they will never request the site without using TLS, regardless of what a user types in or clicks on.

The machine readable HSTS preload lists are:

The entry for clerkendweller.uk in Chrome's list is illustrated above.

Once you have configured your website, use this form from Google to submit your information. The data is included with the preload lists for Safari and Firefox. Note the inclusion in the preload list is irreversible.

Source: stsiL-daolerP-STSH-ytiruceS-tropsnarT-tcirtS-PTTH/2/7/5102/ku.rellewdnekrelc.www

Read:2997 | Comments:0 | Tags:administrative SSL preventative technical operation policies

“HTTP Strict Transport Security (HSTS) Preload Lists”0 Comments

Submit A Comment



Blog :

Verification Code:


Share high-quality web security related articles with you:)


Tag Cloud