|
|
| (40 intermediate revisions by 18 users not shown) |
| Line 1: |
Line 1: |
| − | {{Template:Stub}}
| + | #REDIRECT [[HTTP_Strict_Transport_Security_Cheat_Sheet]] |
| − | | |
| − | <br>
| |
| − | | |
| − | == Description ==
| |
| − | | |
| − | HTTP Strict Transport Security (HSTS) is an opt-in security enhancement that is specified by a web application through the use of a special response header. Once a supported browser receives this header that browser will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS.
| |
| − | | |
| − | <br>
| |
| − | | |
| − | == Examples ==
| |
| − | | |
| − | Example of the HTTP strict transport security header
| |
| − | | |
| − | Strict-Transport-Security: max-age=60000
| |
| − | | |
| − | If all subdomains are HTTPS to then the following header is applicable:
| |
| − | | |
| − | Strict-Transport-Security: max-age=60000; includeSubDomains
| |
| − | | |
| − | == Browser Support ==
| |
| − | | |
| − | {| width="400" cellspacing="1" cellpadding="1" border="1"
| |
| − | |-
| |
| − | | '''Browser'''<br>
| |
| − | | '''Lowest Version Supported'''<br>
| |
| − | |-
| |
| − | | Internet Explorer <br>
| |
| − | | no support<br>
| |
| − | |-
| |
| − | | Firefox<br>
| |
| − | | 4<br>
| |
| − | |-
| |
| − | | Opera<br>
| |
| − | | 10.50<br>
| |
| − | |-
| |
| − | | Safari<br>
| |
| − | | 4.0<br>
| |
| − | |-
| |
| − | | Chrome<br>
| |
| − | | 4.0.211.0<br>
| |
| − | |}
| |
| − | | |
| − | <br>
| |
| − | | |
| − | == Server Side ==
| |
| − | | |
| − | The server side needs to inject the HSTS header.
| |
| − | | |
| − | For HTTP sites on the same domain it is recommended that a HSTS header be returned along with a permanent redirect to the HTTPS site.
| |
| − | | |
| − | An Apache HTTPd example is as follows:
| |
| − | | |
| − | <VirtualHost *:80>
| |
| − | ServerAlias *
| |
| − | Header Always set Strict-Transport-Security "max-age=16070400; includeSubDomains"
| |
| − | RewriteEngine On
| |
| − | RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [redirect=301]
| |
| − | </VirtualHost>
| |
| − | | |
| − | == Links ==
| |
| − | | |
| − | [http://www.w3.org/Security/wiki/Strict_Transport_Security HSTS Spec] | |
| − | | |
| − | [http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security Wikipedia.org entry]
| |
| − | | |
| − | [https://developer.mozilla.org/en/Security/HTTP_Strict_Transport_Security MDN Docs for HSTS]
| |
| − | | |
| − | [https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet OWASP TLS Protection Cheat Sheet]
| |
| − | | |
| − | [[Category:Control|Control]]
| |
