HSTS

• 2.3.1.1. Use Case: Passive Network Attackers

  • Supporting (but not forcing) end-to-end encryption requires session identifiers to be stored in an HTTP/HTTPS-agnostic place so it can be used in either.
  • A single request to HTTP endpoint means that users' cookies are sent in plaintext, making their sessions prone to hijacking

• 2.3.1.2. Use Case: Active Network Attackers

  • DNS server impersonation and/or spoofing network frames can cause users to receive content from a non-genuine source, and users will be none the wiser.

• 2.3.1.3. Web Site Development and Deployment Bugs

  • Main content served by HTTPS but assets (CSS, SWF, JS) served over HTTP is still insecure, since these assets can be spoofed such that clients execute unsafe operations.

• 5.1 HSTS Host Declaration

  • a host declares itself an HSTS host by sending the Strict-Transport-Security HTTP response header on any HTTP response sent over secure transport.

• HSTS directives are listed as values of that header, semicolon separated

  • (required) max-age=VALUE
    • how many seconds after the receipt of an STS header shall the UA regard the host as a known HSTS host
    • max-age=0 tells the UA to cease regarding teh host as a known HSTS host
  • includeSubDomains (optional; valueless)
    • signals to the UA that the HSTS policy applies to this HSTS host as well as any subdomains of the hosts’s domain name.