{"id":30,"date":"2017-06-29T20:16:58","date_gmt":"2017-06-29T08:16:58","guid":{"rendered":"https:\/\/content.ronella.xyz\/apps\/wordpress\/?p=30"},"modified":"2022-08-19T09:17:13","modified_gmt":"2022-08-18T21:17:13","slug":"http-strict-transport-security-hsts","status":"publish","type":"post","link":"https:\/\/www.ronella.xyz\/?p=30","title":{"rendered":"HTTP Strict Transport Security (HSTS)"},"content":{"rendered":"

Have you experience something that when you access a website it will always try to use the HTTPS scheme. This can happen because of the following reason:<\/p>\n

The server requests a redirect to an https scheme.<\/p>\n

Or<\/p>\n

The browser receives an Strict-Transport-Security (STS) header .<\/p>\n

In our case, I am talking about the second one. With the advent of Let's Encrypt<\/b><\/a> CA, everybody now can have a free SSL certificate if we like that normally lasts for 3-months. To make it longer than that, just use or create a script that will do the automatic renewal of our certificate.<\/p>\n

The server can tell the browser to always use HTTPS for a period of time using HSTS.<\/p>\n

HTTP Strict Transport Security<\/b>\u00a0(HSTS<\/b>) is a web security policy mechanism which helps to protect websites against\u00a0protocol downgrade attacks<\/a>\u00a0and\u00a0cookie hijacking<\/a>. - https:\/\/en.wikipedia.org\/wiki\/HTTP_Strict_Transport_Security<\/a><\/a><\/p>\n

We can observe HSTS in action using chrome via the developer tools. If you access a website via HTTP and we can notice from the picture at the bottom that there's an internal redirect<\/b> going-on (i.e. 307 Internal Redirect)<\/i>. This is not a redirect request coming from the server but from the browser itself.\u00a0 Another clue is the existence of Non-Authoritative-Reason : HSTS<\/b> header.<\/p>\n

The Upgrade-Insecure-Request<\/b> header is telling the server that we prefer the secured content to be served. Thus if our websites contains a mixture of HTTP and HTTPS artifacts (e.g. CSS, Javascript)<\/i>, everything will be served as HTTPS.<\/p>\n

\"\"<\/a><\/p>\n

Related Post<\/strong>
\nCLEARING DOMAIN HSTS IN CHROME<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Have you experience something that when you access a website it will always try to use the HTTPS scheme. This can happen because of the following reason: The server requests a redirect to an https scheme. Or The browser receives an Strict-Transport-Security (STS) header . In our case, I am talking about the second one. […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[23],"tags":[],"_links":{"self":[{"href":"https:\/\/www.ronella.xyz\/index.php?rest_route=\/wp\/v2\/posts\/30"}],"collection":[{"href":"https:\/\/www.ronella.xyz\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ronella.xyz\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ronella.xyz\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ronella.xyz\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=30"}],"version-history":[{"count":2,"href":"https:\/\/www.ronella.xyz\/index.php?rest_route=\/wp\/v2\/posts\/30\/revisions"}],"predecessor-version":[{"id":1558,"href":"https:\/\/www.ronella.xyz\/index.php?rest_route=\/wp\/v2\/posts\/30\/revisions\/1558"}],"wp:attachment":[{"href":"https:\/\/www.ronella.xyz\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=30"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ronella.xyz\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=30"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ronella.xyz\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=30"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}