dbalan/blogng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

More edits to the HSTS post.

Browse Source
This commit is contained in:
Dhananjay Balan 2019-04-15 10:47:09 +02:00
parent c82f35abc7
commit 3d52fb8e36
1 changed files with 5 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
blog/2019-04-08-notes-on-hsts.markdown
View File

@ -9,8 +9,10 @@ tags: hsts, security, privacy
HTTP Strict Transport Secrity is a mechanism for sites to signal that HTTP Strict Transport Secrity is a mechanism for sites to signal that
they would only be serving a secure transport (read: TLS) to serve they would only be serving a secure transport (read: TLS) to serve
content from these domains. HSTS is defined in content from these domains. HSTS is defined in
[RFC6797](https://tools.ietf.org/html/rfc6797). HSTS is really cool [RFC6797](https://tools.ietf.org/html/rfc6797).
considering how easy is to enable it!
HSTS is easy to enable, and its really cool how much of an impact it
has to improve security.
So how does it work? The secure version of the site sends an extra HTTP header So how does it work? The secure version of the site sends an extra HTTP header
@ -24,7 +26,7 @@ To an HSTS aware client (i.e all mordern browsers) this means
client can now cache this information, and if you ever get the client can now cache this information, and if you ever get the
non-secure version of the site - know that someones tampering with the non-secure version of the site - know that someones tampering with the
site. connection.
But max age is only one of the directive, there are more. But max age is only one of the directive, there are more.
1. `includeSubdomains` directive: Tells your browser that apply the 1. `includeSubdomains` directive: Tells your browser that apply the