You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: pages/hsts.md
+8-8Lines changed: 8 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -40,33 +40,33 @@ Strict Transport Security was [proposed in 2009](https://lists.w3.org/Archives/P
40
40
41
41
The basic problem that HSTS solves is that even after a website turns on HTTPS, visitors may still end up trying to connect over plain HTTP. For example:
42
42
43
-
* When a user types "dccode.gov" into the URL bar, browsers default to using `http://`.
43
+
* When a user types "gsa.gov" into the URL bar, browsers default to using `http://`.
44
44
* A user may click on an old link that mistakenly uses an `http://` URL.
45
45
* A user's network may be hostile and actively rewrite `https://` links to `http://`.
46
46
47
47
Websites that prefer HTTPS will generally still listen for connections over HTTP in order to redirect the user to the HTTPS URL. For example:
48
48
49
49
```
50
-
$ curl --head http://www.facebook.com
50
+
$ curl --head http://github.com
51
51
52
52
HTTP/1.1 301 Moved Permanently
53
-
Location: https://www.facebook.com/
53
+
Location: https://github.com/
54
54
```
55
55
56
56
**This redirect is insecure** and is an opportunity for an attacker to capture information about the visitor (such as cookies from a previous secure session), or to maliciously redirect the user to a phishing site.
57
57
58
58
This can be addressed by returning a `Strict-Transport-Security` header whenever the user connects securely. For example:
This enables HSTS for `www.facebook.com`. While HSTS is in effect, clicking any links to `http://www.facebook.com` will cause the browser to issue a request directly for `https://www.facebook.com`.
67
+
This enables HSTS for `github.com`. While HSTS is in effect, clicking any links to `http://github.com` will cause the browser to issue a request directly for `https://github.com`.
68
68
69
-
In the above example, the browser will remember the HSTS policy for 180 days. The policy is refreshed every time browser sees the header again, so if a user visits `https://www.facebook.com` at least once every 180 days, they'll be indefinitely protected by HSTS.
69
+
In the above example, the browser will remember the HSTS policy for 1 year. The policy is refreshed every time browser sees the header again, so if a user visits `https://github.com` at least once every year, they'll be indefinitely protected by HSTS.
70
70
71
71
## HSTS Preloading
72
72
@@ -127,7 +127,7 @@ On **Apache**, you would apply a `Header` directive to always set the HSTS heade
127
127
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
128
128
```
129
129
130
-
On **Microsoft systems running IIS** (Internet Information Services), there are no ".htaccess" files to implement custom headers. IIS applications use a central `web.config` file for configuration.
130
+
On **Microsoft systems running IIS** (Internet Information Services), there are no ".htaccess" files to implement custom headers. IIS applications use a central `web.config` file for configuration.
131
131
132
132
For IIS 7.0 and up, the example `web.config` file configuration below will handle secure HTTP to HTTPS redirection with HSTS enabled for HTTPS:
0 commit comments