Strict Transport Security
From Seo Wiki - Search Engine Optimization and Programming Languages
Strict Transport Security (STS) is a proposed HTTP response header that will require the user agent (such as a web browser) to access the website using secure connections only (such as HTTPS). The header specifies a period of time during which the user agent is not allowed to access the site insecurely.
An initial draft specification by Jeff Hodges from PayPal, Collin Jackson and Adam Barth was published on 18 September 2009. The specification is based on original work by Jackson and Barth as described in their paper “ForceHTTPS: Protecting High-Security Web Sites from Network Attacks”.
A new STS specification version was recently published, on 18 December 2009, with revisions based on community feedback.
When Strict-Transport-Security is active for a website, a complying user agent does the following:
- Automatically turn any insecure links to the website into secure links. (For instance, http://www.example.com/some/page/ will be modified to https://www.example.com/some/page/ before accessing the server.)
- If the security of the connection cannot be ensured (e.g. the server's TLS certificate is self-signed), show an error message and do not allow the user to access the site despite the error.
Strict-Transport-Security helps protect website users against some passive (eavesdropping) and active network attacks. A man-in-the-middle attacker will not be able to intercept any request to a website while the user's browser has Strict-Transport-Security active for that site.
The initial request remains unprotected from active attacks if it uses an insecure protocol such as plain HTTP or if the URI for the initial request was obtained over an insecure channel. The same applies to the first request after the activity period specified in the Strict-Transport-Security header is over.
- PayPal sets the Strict-Transport-Security header on their https-only website.
- Google Chrome supports Strict-Transport-Security as of version 18.104.22.168.
- The NoScript extension for Firefox enforces Strict-Transport-Security as of version 22.214.171.124.
- ↑ 1.0 1.1 "Strict Transport Security -05". 18 September 2009. http://lists.w3.org/Archives/Public/www-archive/2009Sep/att-0051/draft-hodges-strict-transport-sec-05.plain.html. Retrieved 19 November 2009.
- ↑ "ForceHTTPS: Protecting High-Security Web Site from Network Attacks". April 2008. https://crypto.stanford.edu/forcehttps/. Retrieved 19 November 2009.
- ↑ "Strict Transport Security -06". 18 December 2009. http://lists.w3.org/Archives/Public/www-archive/2009Dec/att-0048/draft-hodges-strict-transport-sec-06.plain.html. Retrieved 23 December 2009.
- ↑ Jeff Hodges (18 September 2009). "fyi: Strict Transport Security specification". http://lists.w3.org/Archives/Public/public-webapps/2009JulSep/1148.html. Retrieved 19 November 2009.
- ↑ Giorgio Maone (23 September 2009). "Strict Transport Security in NoScript". http://hackademix.net/2009/09/23/strict-transport-security-in-noscript/. Retrieved 19 November 2009.
|File:Crystal Clear app browser.png||This World Wide Web-related article is a stub. You can help Wikipedia by expanding it.|