11 lines
1.2 KiB
Plaintext
11 lines
1.2 KiB
Plaintext
When implementing the HTTPS protocol, the website mostly continue to support the HTTP protocol to redirect users to HTTPS when they request a HTTP version of the website. These redirects are not encrypted and are therefore vulnerable to man in the middle attacks. The https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security[Strict-Transport-Security policy header] (HSTS) set by an application instructs the web browser to convert any HTTP request to HTTPS.
|
|
|
|
|
|
Web browsers that see the Strict-Transport-Security policy header for the first time record information specified in the header:
|
|
|
|
* the ``++max-age++`` directive which specify how long the policy should be kept on the web browser.
|
|
* the ``++includeSubDomains++`` optional directive which specify if the policy should apply on all sub-domains or not.
|
|
* the ``++preload++`` optional directive which is not part of the HSTS specification but supported on all modern web browsers.
|
|
|
|
With the ``++preload++`` directive the web browser never connects in HTTP to the website and to use this directive, it is required https://hstspreload.org/[to submit] the concerned application to a preload service maintained by Google.
|