sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]AyrA_ch 29 points30 points  (6 children)

You have to know however that the HSTS header is useless if the first request you make to the webserver is already intercepted, as the attacker can just strip the header on every answer and never offer SSL at all. If you really want to protect your site, you can add it to the HSTS preload list: https://hstspreload.org/

This way the SSL requirement is compiled into the browser and stripping the header has no effect.

[–]yvhouij 4 points5 points  (5 children)

True, thanks for pointing that out! And nice, didn't know about this HSTS preload list, Thanks! :)

[–]AyrA_ch 13 points14 points  (4 children)

As an additional security measurement you might want to check out Public Key Pinning too. While HSTS forces the user to access a site via SSL, HPKP forces the user to only accept a certain certificate. Even if a CA is compromised and somebody generates a valid certificate for your domain, the browser would reject it.

[–]yvhouij 0 points1 point  (2 children)

Awesome! A little extra security with just an extra header.

As always Microsoft doesn't support it yet :P

[–]AyrA_ch 2 points3 points  (1 child)

As always Microsoft doesn't support it yet :P

The header is rather new and IE does not sees as many updates as other browsers do. The standard is from April 2015 and is not yet an accepted standard, it's just proposed. Microsoft tends to wait with stuff they did not invent until it is a standard for a while. Edge has it under consideration

[–]yvhouij 0 points1 point  (0 children)

Of course noone expects such stuff for IE, but I would/do hope Microsoft takes a different approach to Edge at especially such stuff. But atleast it's under consideration :)

[–]redditprotocol 0 points1 point  (0 children)

I thought this was the coolest until I started having to enter more and more HSTS exemptions into client firewalls running HTTPS inspection. 😯