Highest Voted 'hsts' Questions - IT Security Stack Exchange

25

votes

2 answers

Do I have a current MITM?

I apologise for to terseness of this question; I have an issue. Google.co.uk is failing its HSTS on my browsers. Is this an issue with google.co.uk or is this just me? Is someone middle-manning my internet connection? While I can find plenty of…

hsts

asked Jun 12 '17 at 19:15

Martin

1,107
1
12
20

10

votes

1 answer

How do browsers get HSTS preload data?

I recently wrote this answer, in which I explained the process of HSTS preloading. However, I noticed that I didn't actually know the exact mechanism for fetching preload information works. I have checked the Chromium Documentation, MDN Web Docs,…

hsts

asked Feb 05 '21 at 11:33

user163495

9

votes

2 answers

What are the dangers of not setting the HSTS header on every response?

A web application only sets the HSTS header in responses to requests to /assets/*. Any other response does not include the HSTS header. While it does seem insecure at first, any browser opening the index page will quickly follow up loading all the…

hsts

asked Apr 10 '20 at 09:18

user163495

7

votes

3 answers

True or False: HSTS is absolutely useless against MITM attacks

I do understand that it is a good security measure to implement HSTS, because it will reduce the number of incidents. Statement 1: If clients IO traffic goes through MITM from the start, can the attacker can just strip Strict-Transport-Security…

hsts

asked Sep 01 '14 at 12:34

Slava

285
1
2
9

7

votes

1 answer

HSTS: Clicking through certificate errors

We have a website www.example.com with a certificate for domain www.example.com, we also have HSTS enabled. The Qualys SSL Labs (https://www.ssllabs.com/index.html) confirmed that HSTS has been enabled. I noticed that if you go to…

hsts

asked Apr 17 '18 at 18:12

Jakkals

81
3

6

votes

3 answers

How to see when a HSTS domain is about to expire?

We have a customer who claims his site (which we host) is under HSTS, but we cannot confirm this. I told him to open that chrome page chrome://net-internals/#hsts and query for his domain, and indeed he gets a record with a dynamic_sts_observed of…

hsts

asked Jun 23 '16 at 13:25

Adrian Föder

163
3

3

votes

1 answer

isn't it a security gap if TLD hostname doesn't send the strict-transport-security header?

If you connect to https://google.com (without www.) you get a HTTP 301 redirect to https://www.google.com/ . Then if you connect to https://www.google.com/ the response includes the strict-transport-security header. I contend this is a (small)…

hsts

asked Jan 20 '20 at 19:29

Bennett

653
3
10

3

votes

1 answer

Does HSTS preload includes subdomains?

i know that you can preload your domain if you have everything with a valid HTTPS vertificate, but after preloading the domain if i go to subdomain.example.com is it going to me preload the same way as example.com is preloaded?

hsts

asked May 30 '19 at 01:47

Tomi Begher

121
1
10

3

votes

1 answer

Is there ANY conceptual downside to enabling preloaded HSTS on greenfield

Referencing this: https://hstspreload.org/ There's a bunch of stuff about making really sure that it all works before you get them to pre-load it: when testing first test with a max-age of 5 minutes, then ramp up to 1 week, & 1 month. They say if…

hsts

asked Jan 12 '19 at 09:19

Brondahl

169
5

2

votes

0 answers

Current HSTS set not displaying visited sites

I'm using chrome://net-internals/#hsts to do HSTS testing. I tried to query a domain that has HST preloaded (facebook.com), and got the expected results: Found: static_sts_domain: facebook.com However, I tried the following steps with a domain that…

hsts

asked Jun 28 '17 at 15:34

user152086

21
1

2

votes

2 answers

Strict-transport-security Mixed Content - same domain?

I'm researching the HTTPS-strict-transport-security protocol (HSTS), and am writing a plugin for Firefox to highlight some of the issues with the protocol. One of the things that I'm looking at is mixed content. If the site is using HSTS, and the…

hsts

asked Apr 10 '16 at 11:08

user3853149

71
1
4

1

vote

3 answers

HSTS preventing MiTM cookie hijacking attacks

I was watching the following presentation: https://www.youtube.com/watch?v=jYcx7WtbB0A It addressed the issue when trying to access a particular web site that is available over both HTTP and HTTS and that the initial request will be send via HTTP…

hsts

asked Feb 21 '17 at 15:16

cyzczy

1,578
5
23
42

0

votes

1 answer

Is it possible to internally use HSTS preloading for internal domains?

Many companies have internal applications, and it would not be wise to recommend these are opened to the public internet merely for the purpose of them making it onto the HSTS preload list. Even if these services were audited and user credentials…

hsts

asked Oct 20 '22 at 09:33

Luc

32,911
8
78
138

0

votes

2 answers

Is HTTP Strict Transport Security needed when only listening on port 443?

Is HSTS needed on a server that listens only on 443 port? If a MITM attack is carried out, the server won't respond on HTTP.

hsts

asked May 18 '20 at 11:28

fox_haunter

29
1
6

-1

votes

3 answers

What is the use of HSTS on a website?

I know HSTS redirects HTTP requests to HTTPS for the target domain, or it helps in restricting downgrading HTTPS to HTTP. But I don't get the basic idea behind HSTS. I have gone through various tutorials, plus the OWASP Cheat Sheet on HSTS.

hsts

asked Jul 13 '18 at 11:18

Benz

27
1
6

Questions tagged [hsts]