All Questions
Tagged with hsts web-browser
12 questions
2
votes
1
answer
3k
views
What happens if multiple Strict-Transport-Security headers are set in the HTTP response?
If multiple Strict-Transport-Security headers are set with different settings (e.g. different max-age values), how will the browser behave? Does the browser just follow one of them, or simply error ...
- 23
6
votes
2
answers
5k
views
List of sites that still dont support HSTS?
I'm working on an article for work and seeking a list of the top ~500 websites (ranked by Alexa) that still don't have support for HSTS. Does such a list exist? I'm not getting any interesting hits ...
- 61
2
votes
1
answer
3k
views
Is HSTS header any useful without a recognized certificate?
The application I'm working on is accessible only via IP address, so HTTPS connection is provided via a custom-signed certificate.
I explained to my client that (from MDN docs)
[...] when your ...
- 135
13
votes
5
answers
9k
views
How do you prevent sending cookie data over HTTP the first time? [duplicate]
You could use HSTS to tell browser to always use HTTPS in future requests.
You could use Cookie Secure flag that from now on only send cookies over HTTPS.
You could use DNS based redirect but only ...
- 735
5
votes
1
answer
943
views
What is the implication of HSTS on unsupported browsers?
HSTS is currently available only on Edge and IE11. What will be its implication on lower browser versions (IE9 & IE10)? How will HSTS behave? Will there be any impact on the site?
- 193
8
votes
1
answer
337
views
Does a popular technique prevent HSTS from working within a Firefox browser session?
Firefox stores HSTS data in a file named SiteSecurityServiceState.txt.
This poses two serious issues:
It creates an opportunity for tracking. See http://www.radicalresearch.co.uk/lab/...
- 3,174
4
votes
1
answer
909
views
How can I add my website to preload entries set of well-known browsers like Firefox or Chrome?
I have a website like https://www.example.com. I need to force all users visiting my site to use HTTPS connections.
I thought about HSTS but I don't know how to add my site to the preload entries of ...
- 143
2
votes
1
answer
2k
views
Is firefox disabling of insecure TLS fallback part of the HSTS spec?
I've been looking into HSTS, and I can see that Firefox has supported it since version 4, but I can also see that you could click through untrusted cert browser warnings until Firefox 37.
Is the ...
- 347
4
votes
1
answer
3k
views
Why does sslstrip+ fail to intercept the traffic from websites like facebook and gmail?
I have been reading an article about sslstrip and mitm. Before the introduction of HSTS it was possible to strip ssl and send an insecure http page to the victim. Anyway it was overcome by using HSTS ...
38
votes
3
answers
25k
views
How can I see which sites have set the HSTS flag in my browser?
My question is about Firefox and Chrome.
Is there a possibility to see which sites have set the HSTS flag in my browser?
- 1,438
20
votes
2
answers
2k
views
Why does rfc6797 say "An HSTS Host MUST NOT include the STS header field in HTTP responses over non-secure transport."
Why does the RFC prohibit the server from sending HSTS to the client over HTTP?
I can see that if a HTTP client responds to that unsecure HTTP response it might cause that site to be inaccessible to ...
- 51.1k
6
votes
1
answer
2k
views
Can HSTS be defeated?
As I know HSTS is mainly implemented to mitigate famous sslstrip attack in which browser is forced to use ssl when connecting to particular site. And I think it also prevents user to proceed to site ...
- 75