Strict Transport Security

From Seo Wiki - Search Engine Optimization and Programming Languages

Jump to: navigation, search

Strict Transport Security (STS) is a proposed HTTP response header that will require the user agent (such as a web browser) to access the website using secure connections only (such as HTTPS). The header specifies a period of time during which the user agent is not allowed to access the site insecurely.[1]

An initial draft specification by Jeff Hodges from PayPal, Collin Jackson and Adam Barth was published on 18 September 2009.[1] The specification is based on original work by Jackson and Barth as described in their paper “ForceHTTPS: Protecting High-Security Web Sites from Network Attacks”.[2]

A new STS specification version was recently published, on 18 December 2009, with revisions based on community feedback.[3]

Contents

Overview

When Strict-Transport-Security is active for a website, a complying user agent does the following:

  1. Automatically turn any insecure links to the website into secure links. (For instance, http://www.example.com/some/page/ will be modified to https://www.example.com/some/page/ before accessing the server.)
  2. If the security of the connection cannot be ensured (e.g. the server's TLS certificate is self-signed), show an error message and do not allow the user to access the site despite the error.

Strict-Transport-Security helps protect website users against some passive (eavesdropping) and active network attacks. A man-in-the-middle attacker will not be able to intercept any request to a website while the user's browser has Strict-Transport-Security active for that site.

Limitations

The initial request remains unprotected from active attacks if it uses an insecure protocol such as plain HTTP or if the URI for the initial request was obtained over an insecure channel. The same applies to the first request after the activity period specified in the Strict-Transport-Security header is over.

Support

Websites:

  • PayPal sets the Strict-Transport-Security header on their https-only website.

Browsers:

  • Google Chrome supports Strict-Transport-Security as of version 4.0.211.0.[4]
  • The NoScript extension for Firefox enforces Strict-Transport-Security as of version 1.9.8.9.[5]

External links

References

Personal tools

Served in 0.278 secs.