HSTS: Forcing Future Connections to Use HTTPS
HSTS is a response header that tells browsers to only use HTTPS for your site, automatically upgrading future HTTP requests. This prevents SSL stripping attacks.
HTTP Strict Transport Security (HSTS) is a response header that tells browsers to only use HTTPS for your site, automatically upgrading future HTTP requests. It prevents man-in-the-middle attacks like SSL stripping by ensuring the upgrade to a secure connection happens client-side. The header is ignored if sent over HTTP. The biggest footgun: once a browser learns an HSTS policy, it will refuse to connect if there's a certificate error, with no option for the user to bypass the warning. This makes a bad certificate a complete outage.
Read the original → developer.mozilla.org
- #security
- #http
- #https-only
- #express
Get five bites like this every day.
Tezvyn delivers a daily feed of 60-second tech bites with quizzes to lock in what you learn.