Questions tagged [hsts]
HTTP Strict Transport Security is a mechanism enabling web sites to declare themselves accessible only via secure connections and/or for users to be able to direct their user agent(s) to interact with given sites only over secure connections. It is defined by RFC 6797.
164 questions
6
votes
1
answer
894
views
If I'm using HSTS, can I skip the scheme from my CSP directives?
For various reasons, I need to shrink my CSP header a bit without degrading its effectiveness. I'm able to save some bytes by wildcarding some subdomains, but I'm also tempted to strip out all ...
- 163
4
votes
1
answer
302
views
Why does Fedramp disallow TLS 1.2 via HSTS?
I just stumbled upon this fedramp document: https://www.fedramp.gov/assets/resources/templates/FedRAMP-Moderate-Readiness-Assessment-Report-(RAR)-Template.docx
It contains the following note in 4.2.2 ...
- 41
9
votes
2
answers
3k
views
Do subdomains of a TLD with mandatory HTTPS require a wildcard certificate?
Many new TLDs have mandatory HTTPS requirements. Is there a way to disable that for subdomains? If not does that mean an expensive wildcard SSL certificate will need to be used with these domains?
So ...
- 91
2
votes
1
answer
507
views
Is it possible to internally use HSTS preloading for internal domains?
Many companies have internal applications, and it would not be wise to recommend these are opened to the public internet merely for the purpose of them making it onto the HSTS preload list. Even if ...
- 33.1k
0
votes
1
answer
2k
views
Browsers don't trust SSL certificates of network-local host signed by own CA
I've got a Mayan EDMS running on a computer on the local network. The Web App is exposed via HTTPS on the non-standard port 8001 and it uses an SSL certificate that is signed by our own CA.
The CA is ...
- 103
-1
votes
2
answers
278
views
HSTS Policy Not Appear in Burp Intercept Response
We have added HSTS policy at Akamai level (domain). When we Intercept the request using burp we dont see HSTS policy is getting added in response, in case we hit site with http.
But with https we able ...
- 99
1
vote
0
answers
361
views
Headers X-XSS-Protection issue
I want to clear my doubt that Is there any issues coming from adding 'Strict-Transport-Security' and 'X-XSS-Protection' headers ?
Header set Strict-Transport-Security "max-age=10886400;
Header ...
2
votes
1
answer
670
views
HTTP and HSTS Web Server
If I have HSTS enforced on a web server with HTTPS 443, but HTTP port 80 is still open, does this make HTTP still accessible, or only for the first time before it's added to the browser HSTS list?
I ...
- 23
2
votes
2
answers
1k
views
Did HTTPS and HSTS kill MITM?
Is there a point in being MITM nowadays since HTTPS makes it impossible to make sense of sniffed data and HSTS prevents SSL stripping?
- 129
0
votes
2
answers
346
views
can HSTS be considered as a remediation for not using secure flag for a pci dss auditor [duplicate]
can HSTS be considered asa remediation for the vulneraberabity "cookies are not protected by secure flag" for a PCI DSS auditor?
1
vote
1
answer
271
views
Is this HSTS HTTP Response Header Misconfigured?
I recently discovered during a penetration test that the HSTS was returned by the application but in this format:
"Strict-TransportSecurity"
Instead of:
"Strict-Transport-Security"
...
2
votes
1
answer
3k
views
What happens if multiple Strict-Transport-Security headers are set in the HTTP response?
If multiple Strict-Transport-Security headers are set with different settings (e.g. different max-age values), how will the browser behave? Does the browser just follow one of them, or simply error ...
- 23
11
votes
1
answer
1k
views
How do browsers get HSTS preload data?
I recently wrote this answer, in which I explained the process of HSTS preloading. However, I noticed that I didn't actually know the exact mechanism for fetching preload information works. I have ...
user163495
0
votes
2
answers
514
views
HSTS without auto-upgrading HTTP to HTTPS [duplicate]
I have a website hosted at https://example.com/mysite. If you navigate to http://example.com/mysite, you get a 404. Everything that comes in over HTTP gets 404'd.
I was dinged on a security audit ...
31
votes
1
answer
9k
views
"google.com" is not HSTS protected?
Issue:
Oftentimes people enter google.com directly in the browser's address bar without including either the http:// or https:// prefixes.
Using Chrome DevTools on a fresh incognito session, I ran the ...
- 704
3
votes
2
answers
2k
views
MITM attack with HSTS implemented websites
I want to perform a Man-in-the-Middle attack against my own network for educational purposes.
I want the following scenario: Perform a MITM attack with Bettercap, navigate to a website and accept the ...
- 43
0
votes
1
answer
137
views
Initial requests sent over HTTP by default [duplicate]
Before the invention of HSTS security policy, if a user didn't specify the protocol in the URL, were all the initial requests sent over HTTP by default for every website?
- 43
0
votes
2
answers
742
views
Does HSTS prevent packet capturing in Wireshark
If a site is enforcing HSTS, does that prevent packet capturing of a GET requests in Wireshark?
If it prevents it, is it possible to achieve the same using Bettercap or any other alternatives?
...
- 189
0
votes
2
answers
2k
views
Is HTTP Strict Transport Security needed when only listening on port 443?
Is HSTS needed on a server that listens only on 443 port? If a MITM attack is carried out, the server won't respond on HTTP.
- 29
5
votes
2
answers
5k
views
Should I return an HSTS header for 404 error pages?
I setup our .NET web application so that it has HSTS enabled. I verfied this by going to https://gf.dev/hsts-test and put in our URL and it shows that HSTS protection is there.
The result shows:
...
- 153
9
votes
2
answers
3k
views
What are the dangers of not setting the HSTS header on every response?
A web application only sets the HSTS header in responses to requests to /assets/*. Any other response does not include the HSTS header.
While it does seem insecure at first, any browser opening the ...
user163495
2
votes
2
answers
154
views
What is the relevance on HSTS on HTTP application?
We all know that HSTS should be implemented on HTTPS application. Recently, I came across an application HSTS implemened on HTTP application.
I need to answer to the client. According to me, HSTS ...
- 59
2
votes
2
answers
504
views
Strict Transport Security (HSTS) HTTP Response Header Security Related Question
I always thought HSTS headers were server specific, what reason would cause this header to not be invoked across certain URI endpoints i.e. HSTS header is in response to the root direct /, as well as /...
- 43
0
votes
1
answer
344
views
Does HSTS prevents MITM using a valid certificate?
Let’s consider this scenario:
An attacker got a valid certificate for a HSTS protected domain https://example.com. Can he still perform a man-in-the middle attack even if the website is already ...
- 478
22
votes
2
answers
5k
views
Is there any point in having the HSTS header enabled when using HTTP/2?
As a protection against attacks such as SSLstrip, the HSTS header prevents an attacker from downgrading a connection from HTTPS to HTTP, as long as the attributes of the header are properly configured....
- 363
3
votes
1
answer
233
views
isn't it a security gap if TLD hostname doesn't send the strict-transport-security header?
If you connect to https://google.com (without www.) you get a HTTP 301 redirect to https://www.google.com/ . Then if you connect to https://www.google.com/ the response includes the strict-transport-...
- 653
1
vote
2
answers
357
views
Why did browsers choose to implement HSTS with Preload over checking custom DNS information?
Browsers and standards bodies favor HSTS with Preload because it avoids ever sending an http request to a website that supports https. This is good, because cleartext http requests can be intercepted ...
-5
votes
2
answers
442
views
How can HSTS preloading be avoided?
Preloading is a primitive operation. You must preload for a year or more, and "be aware that inclusion in the preload list cannot easily be undone," according to the registration tool. Therefore, if ...
1
vote
3
answers
374
views
Does HSTS provide security advantages on private networks?
For systems that only connect to the internet via a single dedicated private network (no WiFi hotspots), and assuming no systems or components on that network are compromised, does HSTS (HTTP Strict ...
- 3,174
13
votes
1
answer
1k
views
Does HSTS protect against a rogue CA issuing a illegitimate valid certificate?
Does HSTS protect a domain from a publicly trusted CA that has gone rogue issuing a illegitimate valid certificate? Examples of publicly trusted CA's would be any of the members of the Mozilla CA ...
- 319
7
votes
1
answer
1k
views
Should the Strict-Transport-Security max-age be tied to the duration of the certificate?
I understand the principle of HSTS, and the fact that the choice of max-age limits how long a visitor could potentially be locked out if the site somehow lost its certificate and had to go back to ...
- 2,115
0
votes
1
answer
1k
views
Is it possible to browse HSTS sites over SOCKS5 proxy?
I am unable to browse HSTS websites using SOCKS5 proxy in chrome browser...getting this error...
This site can’t be reached The web page at
https://www.instagram.com/accounts/login/?hl=en might ...
- 105
3
votes
1
answer
519
views
Does HSTS preload includes subdomains?
i know that you can preload your domain if you have everything with a valid HTTPS vertificate, but after preloading the domain if i go to subdomain.example.com is it going to me preload the same way ...
- 131
1
vote
0
answers
581
views
includeSubDomains is not shown in https header after enabling hstsIncludeSubDomains in Tomcat
I enabled HSTS in the Tomcat web.xml like this:
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters....
- 11
0
votes
1
answer
2k
views
HSTS preload and requisites on domain - subdomains must be added too?
I found that the security header for protection against mitm attacks in first connection is to implement HSTS preload directive and add the list of google: https://hstspreload.org/
However the ...
- 131
0
votes
0
answers
200
views
no HSTS but still protected to mitm attacks?
i am aware of HSTS and their directives... If you had enabled HSTS on your site however, and this user has visited your site before, the browser will remember it should go back to https. As the fake ...
- 131
2
votes
1
answer
237
views
How to protect against mitm attacks in first connection? - no HSTS Preload
i have been searching around this area about mitm attacks and realize that every single page that doesn't have HSTS preload is vunerable to mitm attacks in first connection to the site. the solution ...
- 131
7
votes
1
answer
4k
views
How to force a browser when connecting to a specific domain to be https only using only the client machine?
Is it possible to force a client (browser or host machine or etc) to only make https connections to a specific URL/domain?
(preferably non-admin/root fixes if possible)
Here is a fabricated ...
- 173
3
votes
1
answer
969
views
HSTS and TLS redirection: What is the correct order?
Currently I am trying to setup my apache server for HSTS. Therefore my .htaccess looks like this:
<IfModule mod_headers.c>
Header set Strict-Transport-Security "max-age=63072000; ...
- 151
3
votes
0
answers
210
views
Risks of not enabling HSTS on a static content subdomain. Even though main domain does have hsts
I'm investigating an issue where our static content (js, css) is deployed in AWS Cloudfront under a subdomain of our main website and doesn't have HSTS enabled. The main domain does have HSTS enabled ...
- 525
0
votes
1
answer
156
views
HSTS mixed with HTTP resources
We have a container site which implements HSTS and a video sharing site which is using HTTP only and doesn't have TLS implemented, nor will it.
How does one avoid mixed content in container site and ...
- 5
3
votes
1
answer
780
views
Is there *ANY* conceptual downside to enabling preloaded HSTS on greenfield
Referencing this: https://hstspreload.org/
There's a bunch of stuff about making really sure that it all works before you get them to pre-load it:
when testing first test with a max-age of 5 minutes,...
- 169
1
vote
0
answers
32
views
Is HSTS necessary or can I just write .htaccess code to always redirect http to https? [duplicate]
Is HTTP Strict Transport Security (HSTS) necessary or can I just write regular .htaccess code to always redirect http to https?
- 136
1
vote
0
answers
324
views
Can a single domain be deleted from HSTS list through GPO
I have proxy performing a IWA authentication which intercepts the web request and redirects it towards the proxy's host name for auth.
The redirect url is over http however the HSTS list on the end ...
- 11
3
votes
0
answers
310
views
Experimenting with SSLStrip+ on the same machine
I am trying to play around to understand how SSLStrip+ works by:
$ cat /proc/sys/net/ipv4/ip_forward
1
$ sudo iptables --flush
$ sudo iptables --flush -t nat
$ sudo iptables -t nat -A PREROUTING -p ...
- 153
1
vote
1
answer
284
views
HSTS vs RewriteRule
I've recently read that HSTS is designed to avoid some of the vulnerabilities associated with htaccess redirects to force HTTPS, because the browser can be made to ignore them. That said, many of our ...
- 1,896
2
votes
1
answer
4k
views
HSTS for android apps?
Websites such as Facebook visited on browsers have the HSTS capability which is one more layer of security for TLS from some attacks.
What about, in particular, the Facebook android app?
Does it ...
- 21
2
votes
2
answers
11k
views
How is danger / badidea / thisisunsafe justified?
The HSTS standard states the following:
12.1. No User Recourse
Failing secure connection establishment on any warnings or errors
(per Section 8.4 ("Errors in Secure Transport Establishment"...
- 3,197
6
votes
0
answers
648
views
Why are banks largely absent from the HSTS preload list?
There seems to be widespread support for the idea that election-related websites, of all things, should be resistant to man-in-the-middle attacks. The secret ballot makes detecting and recovering from ...
- 61
2
votes
4
answers
2k
views
How do mobile apps prevent HTTPS MITM attacks when the user installs the attacker's CA certificate?
I am using a mobile app that installs a fake trusted CA certificate and therefore can capture the HTTPS traffic of other apps. Most of the time, this MITM attack is successful.
However, I noticed ...
user123540