Everyone know the what HSTS (HTTP Strict Transport Policy)
does- It instructs the browsers to load a website over HTTPS no matter what.
You cannot load a website on the http. When you hit a website, eg, http://example.com, the server returns
‘Strict-Transport-Security’ Header that tells that now onwards the website must
be loaded over https.
We know the issue related to redirecting a site from http to
https, the 302/ 301 redirects the site to its secure scheme by loading the https://expmale.com when user hits http://example.com . The issue here is the
response from the first request which loads on http can be modified and
contents can be replaced with some phishing ones. Still a large no. of websites
do this redirection, one classic example is American Express. When you try to
access www.americanexpress.com
first time , it redirects you to https://www.americanexpress.com
:
The website first loads as http and then makes a 301
redirect and loads again over https. The below pic will make it clearer:
Now let’s examine the following website (Facebook). Try
accessing http://facebook.com and it loads on
https://facebook.com . But there’s a
difference here, instead of making 301/ 302 redirect the Facebook site makes a
307 redirect which is an internal redirect:
The 307 instructs that the browser is not going to make the
first request itself on http, instead it will make the first request over
https. The browser has refused to make any connection on insecure protocol
http. Let’s examine the response:
You can see the HSTS header in the response:
All the sites which need to be loaded over https by default
must be submitted to https://hstspreload.appspot.com/
site. This site is maintained by chrome and has a list of domains which needs
to be loaded over https by default. That means, when the browser is shipped,
your site will be a part of the list where https is by default.
Comments