Posts

Showing posts from August, 2015

Implementing HSTS

Image
Everyone know the what HSTS (HTTP Strict Transport Policy) does- It instructs the browsers to load a website over HTTPS no matter what. You cannot load a website on the http. When you hit a website, eg, http://example.com, the server returns ‘Strict-Transport-Security’ Header that tells that now onwards the website must be loaded over https. We know the issue related to redirecting a site from http to https, the 302/ 301 redirects the site to its secure scheme by loading the https://expmale.com when user hits http://example.com . The issue here is the response from the first request which loads on http can be modified and contents can be replaced with some phishing ones. Still a large no. of websites do this redirection, one classic example is American Express. When you try to access www.americanexpress.com first time , it redirects you to https://www.americanexpress.com :

The website first loads as http and then makes a 301 redirect and loads again over https. The below pic will mak…