|
|
(40 intermediate revisions by 18 users not shown) |
Line 1: |
Line 1: |
− | {{Template:Stub}}
| + | #REDIRECT [[HTTP_Strict_Transport_Security_Cheat_Sheet]] |
− | | |
− | <br>
| |
− | | |
− | == Description ==
| |
− | | |
− | HTTP Strict Transport Security (HSTS) is an opt-in security enhancement that is specified by a web application through the use of a special response header. Once a supported browser receives this header that browser will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS.
| |
− | | |
− | <br>
| |
− | | |
− | == Examples ==
| |
− | | |
− | Example of the HTTP strict transport security header
| |
− | | |
− | Strict-Transport-Security: max-age=60000
| |
− | | |
− | If all subdomains are HTTPS to then the following header is applicable:
| |
− | | |
− | Strict-Transport-Security: max-age=60000; includeSubDomains
| |
− | | |
− | == Browser Support ==
| |
− | | |
− | {| width="400" cellspacing="1" cellpadding="1" border="1"
| |
− | |-
| |
− | | '''Browser'''<br>
| |
− | | '''Lowest Version Supported'''<br>
| |
− | |-
| |
− | | Internet Explorer <br>
| |
− | | no support<br>
| |
− | |-
| |
− | | Firefox<br>
| |
− | | 4<br>
| |
− | |-
| |
− | | Opera<br>
| |
− | | 10.50<br>
| |
− | |-
| |
− | | Safari<br>
| |
− | | 4.0<br>
| |
− | |-
| |
− | | Chrome<br>
| |
− | | 4.0.211.0<br>
| |
− | |}
| |
− | | |
− | <br>
| |
− | | |
− | == Server Side ==
| |
− | | |
− | The server side needs to inject the HSTS header.
| |
− | | |
− | For HTTP sites on the same domain it is recommended that a HSTS header be returned along with a permanent redirect to the HTTPS site.
| |
− | | |
− | An Apache HTTPd example is as follows:
| |
− | | |
− | <VirtualHost *:80>
| |
− | ServerAlias *
| |
− | Header Always set Strict-Transport-Security "max-age=16070400; includeSubDomains"
| |
− | RewriteEngine On
| |
− | RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [redirect=301]
| |
− | </VirtualHost>
| |
− | | |
− | == Links ==
| |
− | | |
− | [http://www.w3.org/Security/wiki/Strict_Transport_Security HSTS Spec] | |
− | | |
− | [http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security Wikipedia.org entry]
| |
− | | |
− | [https://developer.mozilla.org/en/Security/HTTP_Strict_Transport_Security MDN Docs for HSTS]
| |
− | | |
− | [https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet OWASP TLS Protection Cheat Sheet]
| |
− | | |
− | [[Category:Control|Control]]
| |