HTTP Strict Transport Security Cheat Sheet - Revision history

Dominique RIGHETTO: Point to the official site

2019-07-15T14:10:54Z

Point to the official site

2019-02-14T11:38:14Z

Migration to GitHub

2017-09-11T06:22:24Z

2017-09-11T06:05:47Z

‎Other Cheatsheets

2017-01-07T00:01:42Z

‎Introduction

2017-01-07T00:00:16Z

‎Links

2017-01-06T23:58:45Z

‎Introduction

2016-08-10T20:41:48Z

dupe word

2016-08-10T20:39:14Z

‎Examples

2016-08-10T20:31:08Z

← Older revision		Revision as of 14:10, 15 July 2019
Line 4:		Line 4:
	The Cheat Sheet Series project has been moved to [https://github.com/OWASP/CheatSheetSeries GitHub]!		The Cheat Sheet Series project has been moved to [https://github.com/OWASP/CheatSheetSeries GitHub]!

−	Please visit [https://~~github~~.~~com/OWASP/CheatSheetSeries/blob/master~~/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.md HTTP Strict Transport Security Cheat Sheet] to see the latest version of the cheat sheet.	+	Please visit [https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html HTTP Strict Transport Security Cheat Sheet] to see the latest version of the cheat sheet.

@@ Line 2: / Line 2: @@
 <div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div>
-{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
+The Cheat Sheet Series project has been moved to [https://github.com/OWASP/CheatSheetSeries GitHub]!
-= Introduction  =
+Please visit [https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.md HTTP Strict Transport Security Cheat Sheet] to see the latest version of the cheat sheet.

@@ Line 5: / Line 5: @@
 | valign="top"  style="border-right: 1px dotted gray;padding-right:25px;" |
 Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
   __TOC__{{TOC hidden}}
-== Description ==
+= Introduction  =
 HTTP Strict Transport Security (HSTS) is an opt-in security enhancement that is specified by a web application through the use of a special response header. Once a supported browser receives this header that browser will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS. It also prevents HTTPS click through prompts on browsers.

@@ Line 98: / Line 98: @@
 and others...
-== Other Cheatsheets ==
+= Other Cheatsheets =
 {{Cheatsheet_Navigation_Body}}

@@ Line 87: / Line 87: @@
 * [http://www.thoughtcrime.org/software/sslstrip/ Moxie Marlinspike's Black Hat 2009 talk on sslstrip, that demonstrates why you need HSTS]
 * [http://www.youtube.com/watch?v=zEV3HOuM_Vw&feature=youtube_gdata AppSecTutorial Series - Episode 4]
 = Authors and Primary Editors  =

@@ Line 48: / Line 48: @@
 Site owners can use HSTS to identify users without cookies. This can lead to a significant privacy leak[http://www.leviathansecurity.com/blog/the-double-edged-sword-of-hsts-persistence-and-privacy].
-Cookies can be manipulated from sub-domains, so omitting the include "includeSubDomains" option permits a broad range of cookie-related attacks that HSTS would otherwise prevent by requiring a valid certificate for a subdomain. Ensuring the "Secure Flag" is set on all cookies will also prevent, some, but not all, of the same attacks.
+Cookies can be manipulated from sub-domains, so omitting the "includeSubDomains" option permits a broad range of cookie-related attacks that HSTS would otherwise prevent by requiring a valid certificate for a subdomain. Ensuring the "Secure Flag" is set on all cookies will also prevent, some, but not all, of the same attacks.
 == Browser Support ==

@@ Line 26: / Line 26: @@
 == Examples  ==
-Simple example, using a long (1 year) max-age:
+Simple example, using a long (1 year) max-age. This example is dangerous since it lacks <i>includeSubDomains</i>.
    Strict-Transport-Security: max-age=31536000
-If all present and future subdomains will be HTTPS:
+This example is useful if all present and future subdomains will be HTTPS. This is a more secure option but will block access to certain pages that can only be served over HTTP.
    Strict-Transport-Security: max-age=31536000; includeSubDomains
 '''Recommended:''' If the site owner would like their domain to be included in the [https://hstspreload.appspot.com/ HSTS preload list] maintained by Chrome (and used by Firefox and Safari), then use the header below. <b>Sending the preload directive from your site can have PERMANENT CONSEQUENCES and prevent users from accessing your site and any of its subdomains if you find you need to switch back to HTTP. Please read the details at hstspreload.appspot.com/#removal before sending the header with "preload".</b>

@@ Line 34: / Line 34: @@
    Strict-Transport-Security: max-age=31536000; includeSubDomains
-'''Recommended:''' If the site owner would like their domain to be included in the [https://hstspreload.appspot.com/ HSTS preload list] maintained by Chrome (and used by Firefox and Safari), then use the header below. <b>Sending the preload directive from your site can have PERMANENT CONSEQUENCES and prevent users from accessing your site and any of its subdomains if you find you need to switch back to HTTP. Please read the details at hstspreload.appspot.com/#removal before sending the header with "preload". Also visit https://raymii.org/s/tutorials/HTTP_Strict_Transport_Security_for_Apache_NGINX_and_Lighttpd.html#Important_regarding_preload for a previous guide that the owner updated in response to a similar request to add a warning.</b>
+'''Recommended:''' If the site owner would like their domain to be included in the [https://hstspreload.appspot.com/ HSTS preload list] maintained by Chrome (and used by Firefox and Safari), then use the header below. <b>Sending the preload directive from your site can have PERMANENT CONSEQUENCES and prevent users from accessing your site and any of its subdomains if you find you need to switch back to HTTP. Please read the details at hstspreload.appspot.com/#removal before sending the header with "preload".</b>
    Strict-Transport-Security: max-age=31536000; includeSubDomains; preload