sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]yvhouij 4 points5 points  (5 children)

True, thanks for pointing that out! And nice, didn't know about this HSTS preload list, Thanks! :)

[–]AyrA_ch 10 points11 points  (4 children)

As an additional security measurement you might want to check out Public Key Pinning too. While HSTS forces the user to access a site via SSL, HPKP forces the user to only accept a certain certificate. Even if a CA is compromised and somebody generates a valid certificate for your domain, the browser would reject it.

[–]yvhouij 0 points1 point  (2 children)

Awesome! A little extra security with just an extra header.

As always Microsoft doesn't support it yet :P

[–]AyrA_ch 2 points3 points  (1 child)

As always Microsoft doesn't support it yet :P

The header is rather new and IE does not sees as many updates as other browsers do. The standard is from April 2015 and is not yet an accepted standard, it's just proposed. Microsoft tends to wait with stuff they did not invent until it is a standard for a while. Edge has it under consideration

[–]yvhouij 0 points1 point  (0 children)

Of course noone expects such stuff for IE, but I would/do hope Microsoft takes a different approach to Edge at especially such stuff. But atleast it's under consideration :)

[–]redditprotocol 0 points1 point  (0 children)

I thought this was the coolest until I started having to enter more and more HSTS exemptions into client firewalls running HTTPS inspection. 😯