Difference between revisions of "HSTS"

From The Hive
(create article)
 
(preload 1 year rather than 2 years)
 
(6 intermediate revisions by one other user not shown)
Line 1: Line 1:
'''HTTP Strict Transport Security (HSTS)''' is a type of header or variant of "cookie" that seems to be used by a secure site to mark itself on your browser as "secure" or "https-only" for a specified period of time.
+
'''HTTP Strict Transport Security (HSTS)''' is a type of header or variant of "cookie" that seems to be used by a secure site to mark itself on your (Google Chrome) browser as "secure" or "https-only" for a specified period of time.
 +
 
 +
<syntaxhighlight lang="text">
 +
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
 +
</syntaxhighlight>
  
 
== HTTP Strict Transport Security ==
 
== HTTP Strict Transport Security ==
  
 
* https://https.cio.gov/ &mdash; Official government recommendations?
 
* https://https.cio.gov/ &mdash; Official government recommendations?
 +
* https://tools.ietf.org/html/rfc6797
 
* https://www.globalsign.com/en/blog/what-is-hsts-and-how-do-i-use-it
 
* https://www.globalsign.com/en/blog/what-is-hsts-and-how-do-i-use-it
 
* https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
 
* https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
 
* https://owasp.org/www-project-cheat-sheets/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html
 
* https://owasp.org/www-project-cheat-sheets/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html
 +
 +
=== To preload or not to preload? ===
 +
 +
¿ https://hstspreload.org/?domain=colmena.biz ?
 +
 +
There is definitely a long-term encouragement toward https-only with the "preload" directive. That should be understood, within reasonable limits.
 +
 +
The site linked in this section seems to be a useful tool to check web server configuration. If the server is properly configured and sends the right headers, then it should be included on a "preload" list. Otherwise the domain should "age out" of the list in accordance with a general policy.
 +
 +
The "forms" for submission of "special requests" for addition to or removal from a list should be unnecessary.
 +
 +
== Error messages ==
 +
 +
Preloaded HSTS will lock users out of versions of your website that are either insecure or have certificates that fail to validate.
 +
<hr>
 +
:'''Oops.'''
 +
:Firefox can’t load this page for some reason.
 +
:_____ has a security policy called HTTP Strict Transport Security (HSTS), which means that Firefox can only connect to it securely. You can’t add an exception to visit this site.
 +
::'''<nowiki>[Open Network Login Page] [Advanced ...]</nowiki>'''
 +
<hr>
 +
Public wifi hotspots that redirect secure requests to a login page are the most common cause of this or similar errors on HSTS preloaded sites. The login page itself may be secure, but depending on policy, it has no authority to accept or redirect a secure request on behalf of the requested site without its authorization.
 +
 +
If you do use free public wifi, it is sometimes helpful to avoid using an HSTS preloaded site as your homepage or start page.
 +
 +
After you have successfully logged in to the wifi hotspot for internet access, it should not be problem to visit secure sites.
 +
 +
== Not to be confused ==
 +
 +
The acronym '''HSTS''' is also used as a derogatory slur for "HomoSexual TransSexual" in the theories of psychiatrists or psychologists J. Michael Bailey, Ray Blanchard, Anne Lawrence et alia, in their scientific classification of transgender individuals [[Sex assignment at birth|assigned male at birth]] by sexual orientation.
 +
 +
We really need an IQ test or a criminal background check for these doctors, or something like that, before ''they'' are permitted to revoke ''our'' rights by involuntary civil commitment and other unusual or extraordinary proceedings under color of law that relate to mental health or legalistic allegations of mental illness.
 +
 +
* https://www.researchgate.net/publication/281747420_The_Man_Who_Would_Be_Queen
 +
* https://www.fbi.gov/investigate/white-collar-crime/health-care-fraud

Latest revision as of 22:39, 26 February 2020

HTTP Strict Transport Security (HSTS) is a type of header or variant of "cookie" that seems to be used by a secure site to mark itself on your (Google Chrome) browser as "secure" or "https-only" for a specified period of time.

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

HTTP Strict Transport Security

To preload or not to preload?

¿ https://hstspreload.org/?domain=colmena.biz ?

There is definitely a long-term encouragement toward https-only with the "preload" directive. That should be understood, within reasonable limits.

The site linked in this section seems to be a useful tool to check web server configuration. If the server is properly configured and sends the right headers, then it should be included on a "preload" list. Otherwise the domain should "age out" of the list in accordance with a general policy.

The "forms" for submission of "special requests" for addition to or removal from a list should be unnecessary.

Error messages

Preloaded HSTS will lock users out of versions of your website that are either insecure or have certificates that fail to validate.


Oops.
Firefox can’t load this page for some reason.
_____ has a security policy called HTTP Strict Transport Security (HSTS), which means that Firefox can only connect to it securely. You can’t add an exception to visit this site.
[Open Network Login Page] [Advanced ...]

Public wifi hotspots that redirect secure requests to a login page are the most common cause of this or similar errors on HSTS preloaded sites. The login page itself may be secure, but depending on policy, it has no authority to accept or redirect a secure request on behalf of the requested site without its authorization.

If you do use free public wifi, it is sometimes helpful to avoid using an HSTS preloaded site as your homepage or start page.

After you have successfully logged in to the wifi hotspot for internet access, it should not be problem to visit secure sites.

Not to be confused

The acronym HSTS is also used as a derogatory slur for "HomoSexual TransSexual" in the theories of psychiatrists or psychologists J. Michael Bailey, Ray Blanchard, Anne Lawrence et alia, in their scientific classification of transgender individuals assigned male at birth by sexual orientation.

We really need an IQ test or a criminal background check for these doctors, or something like that, before they are permitted to revoke our rights by involuntary civil commitment and other unusual or extraordinary proceedings under color of law that relate to mental health or legalistic allegations of mental illness.