@@ 19,6 19,7 @@ strict-transport-security: Strict-Transport-Security: max-age=31557600;
To an HSTS aware client (i.e all mordern browsers) this means
> _I swear that I will serve content on secure transport for atleast next 31557600 seconds (1 year)_
client can now cache this information, and if you ever get the
@@ 40,7 41,7 @@ But max age is only one of the directive, there are more.
HSTS helps enforce HTTPS much better for a user, thus helping us avoid
non-secure transport attacks much better.
1. Passive network attackers
### 1. Passive network attackers
Threats from people sniffing your network passivly, like someone else
on a public coffee shop wifi you are currently using. The best attack
@@ 52,7 53,7 @@ session tokens in a clear transport. HSTS helps browsers to force the
transport to be secure and fail if someone is trying to downgrade the
connection to mount a firesheep style attach.
2. Active network attackers
### 2. Active network attackers
Threats from people inside the network, someone who has access to how
you get on the internet (someone who got access to your ISP or the
@@ 62,7 63,7 @@ client into beliving a secure transport does not exist for a particular
domain, thus forcing it to send sensitve data over cleartext. HSTS
will be able to detect this and prevent connecting to the site.
3. Deployment and management errors
### 3. Deployment and management errors
Deploying https is getting easier everyday, but still quite tricky to
get right if you are deploying a complex system. HSTS helps prevent
@@ 70,13 71,14 @@ management errors where one might have accidently exposed some
services (I'm looking at you legacy cruft!) on a subdomain, or
embedded in a https site (so called mixed content errors)
4. No click through errors.
### 4. No clicking through errors.
HSTS also helps mitigate user errors, in case of breakage hsts spec forces
client to not allow users to override their
behaviour by clicking through.
## A note of caution
HSTS is pretty unforgiving (for a good reason) in cases of TLS
screwups. Also, its really hard to get out of preload lists. Make sure
your https deployment is rock stable pushing out HSTS, start with a
your https deployment is rock stable pushing out HSTS. Start with a
small time delta, and keep increasing after careful testing.