HTTP Strict Transport Security

Explore how HTTP Strict Transport Security (HSTS) helps enforce secure HTTPS connections by instructing browsers to avoid insecure HTTP versions. Understand its implementation, benefits, limitations, and how submission to preload lists like hstspreload.org can improve security from the first user visit.

We'll cover the following...

- Introduction
- HSTS
  - HTTPS

Introduction

As we’ve seen, servers can send HTTP headers to provide the client with additional metadata around the response. Besides sending the content that the client requested, servers are then allowed to specify how a particular resource should be read, cached or secured.

There’s a large spectrum of security-related headers that we should understand, as they have been implemented by browsers in order to make it harder for attackers to take advantage of vulnerabilities. The next paragraphs try to summarize each of them by explaining how they’re used, what kind of attacks they prevent, and a bit of history behind each header.

HSTS

Since late 2012, HTTPS-everywhere believers have found it easier to force a client to always use the secure version of the HTTP protocol, thanks to the HTTP Strict Transport ...

1.Introduction

2.Understanding The Browser

3.HTTP

4.Protection through HTTP Headers

5.HTTP Cookies

6.Situationals

7.DDoS Attacks

8.Bug Bounty Programs

9.Conclusion

Project

HTTP Strict Transport Security

Introduction

HSTS