HTTP 严格传输安全(HSTS)
来源:互联网 发布:天刀捏脸数据金木研 编辑:程序博客网 时间:2024/06/14 13:34
What is HSTS?
HTTPS (HTTP encrypted with SSL or TLS) is an essential part of the measures to secure traffic to a website, making it very difficult for an attacker to intercept, modify, or fake traffic between a user and the website.
When a user enters a web domain manually (providing the domain name without the http:// or https://prefix) or follows a plain http:// link, the first request to the website is sent unencrypted, using plain HTTP. Most secured websites immediately send back a redirect to upgrade the user to an HTTPS connection, but a well-placed attacker can mount a man-in-the-middle (MITM) attack to intercept the initial HTTP request and can control the user’s session from then on.
HSTS seeks to deal with the potential vulnerability by instructing the browser that a domain can only be accessed using HTTPS. Even if the user enters or follows a plain HTTP link, the browser strictly upgrades the connection to HTTPS:
Chrome developer tools illustrate how an HSTS policy
generates an internal redirect to upgrade HTTP to HTTPS
How Does HSTS Work?
An HSTS policy is published by sending the following HTTP response header from secure (HTTPS) websites:
Strict-Transport-Security: max-age=31536000
When a browser sees this header from an HTTPS website, it “learns” that this domain must only be accessed using HTTPS (SSL or TLS). It caches this information for the max-age period (typically 31,536,000 seconds, equal to about 1 year).
The optional includeSubDomains parameter tells the browser that the HSTS policy also applies to all subdomains of the current domain.
Strict-Transport-Security: max-age=31536000; includeSubDomains
For example, the HTML response for https://www.example.com can include a request to a resource from https://example.com, to make sure that HSTS is set for all subdomains of example.com.
Read More
For more details about HSTS, check out the following resources:
- RFC 6797, HTTP Strict Transport Security (HSTS)
- HTTP Strict Transport Security on Wikipedia
- Browser support for HSTS
阅读全文
0 0
- HTTP 严格传输安全(HSTS)
- 如何配置使用 HTTP 严格传输安全(HSTS)
- 如何配置使用 HTTP 严格传输安全(HSTS)
- HTTP严格安全传输(HTTP Strict Transport Security, HSTS)chromuim实现源码分析(一)
- HTTP严格安全传输(HTTP Strict Transport Security, HSTS)chromuim实现源码分析(一)
- HTTP严格安全传输(HTTP Strict Transport Security, HSTS)chromuim实现源码分析(一)
- JAVA年度安全 第八周 HTTP严格传输安全协议
- web http 传输中的 安全
- HSTS - HTTP Strict Transport Security
- HTTP,HTTPS和HSTS详解
- 从 HTTP 到 HTTPS 再到 HSTS
- 从HTTP到HTTPS再到HSTS
- 从HTTP到HTTPS再到HSTS
- 从http到https再到hsts
- HSTS 网站http跳转到https
- 从 HTTP 到 HTTPS 再到 HSTS
- 从 HTTP 到 HTTPS 再到 HSTS
- 从 HTTP 到 HTTPS 再到 HSTS
- poj1258(最小生成树 kruskal算法)
- 【C语言】栈和栈帧,以及栈帧创建和销毁的过程
- Leetcode005. Longest Palindromic Substring
- 关于wamp的某些问题
- 《机器学习》+周志华+第五章习题+5.5实现标准BP算法和累积BP算法
- HTTP 严格传输安全(HSTS)
- bash脚本筛选出根目录下所有ELF文件,并将路径输出
- AC自动机
- 在MyEclipse中修改注释模板
- 项目之后小谈中颖芯片——SH79F166A
- 深度学习与自然语言处理
- 多级菜单框架(C实现)
- JSP九大内置对象
- 在选择一款web漏洞扫描工具时,你最关心的哪一点?