HTTP Strict Transport Security (HSTS) is a policy mechanism that helps to protect websites against man-in-the-middle attacks such as protocol downgrade attacks[1] and cookie hijacking. It allows web servers to declare that web browsers (or other complying user agents) should automatically interact with it using only HTTPS connections, which provide Transport Layer Security (TLS/SSL), unlike the insecure HTTP used alone. HSTS is an IETF standards track protocol and is specified in RFC 6797.
The HSTS Policy is communicated by the server to the user agent via an HTTP response header field named Strict-Transport-Security. HSTS Policy specifies a period of time during which the user agent should only access the server in a secure fashion.[2] Websites using HSTS often do not accept clear text HTTP, either by rejecting connections over HTTP or systematically redirecting users to HTTPS (though this is not required by the specification). The consequence of this is that a user-agent not capable of doing TLS will not be able to connect to the site.
The protection only applies after a user has visited the site at least once, relying on the principle of "trust on first use". The way this protection works is that when a user entering or selecting an HTTP (not HTTPS) URL to the site, the client, such as a Web browser, will automatically upgrade to HTTPS without making an HTTP request, thereby preventing any HTTP man-in-the-middle attack from occurring.
^"Strict-Transport-Security". MDN Web Docs. Mozilla. Archived from the original on 20 March 2020. Retrieved 31 January 2018.
^Hodges, Jeff; Jackson, Collin; Barth, Adam (November 2012). "HSTS Policy". HTTP Strict Transport Security (HSTS). IETF. sec. 5.2. doi:10.17487/RFC6797. RFC 6797.
and 28 Related for: HTTP Strict Transport Security information
HTTPStrictTransportSecurity (HSTS) is a policy mechanism that helps to protect websites against man-in-the-middle attacks such as protocol downgrade...
recommended to use HTTPStrictTransportSecurity (HSTS) with HTTPS to protect users from man-in-the-middle attacks, especially SSL stripping. HTTPS should not...
the U.S. National Security Agency Certificate authority Certificate Transparency Delegated credential HTTPStrictTransportSecurity – HSTS Key ring file...
extension for Firefox HTTP Switchboard – user defined CSP rules, extension for Google Chrome and Opera HTTPStrictTransportSecurityHTTP Public Key Pinning...
attracted to men or trans men who are attracted to women HTTPStrictTransportSecurity, a web security policy mechanism Hs and Ts, a mnemonic used for cardiac...
programming portal Session (computer science) Secure cookie HTTPStrictTransportSecurity § Privacy issues "What are cookies? What are the differences...
input type="password" KB3058515 released on June 9, 2015, added HTTPStrictTransportSecurity support to IE 11. KB3139929 bundles a patch which adds advertising...
and maintenance of TLS encrypted secure websites. HTTPStrictTransportSecurity – A web security policy mechanism which helps to protect websites against...
Transparency HTTPStrictTransportSecurity List of HTTP header fields DNS Certification Authority Authorization Public Key Pinning Extension for HTTP (HPKP)...
"NTP Security Analysis". Archived from the original on 7 September 2013. Retrieved 11 October 2013. Jose Selvi (2014-10-16). "Bypassing HTTPStrict Transport...
both implement HTTPStrictTransportSecurity and the user agent knows this of the server (either by having previously accessed it over HTTPS, or because...
includes the overhaul brought by Webmin 2.0, which enforced strictHTTPStrictTransportSecurity policy for SSL, and gave options to users upgrading from...
automatically perform these types of man-in-the-middle attacks. The HTTPStrictTransportSecurity (HSTS) specification was subsequently developed to combat these...
old high prices. Qualified website authentication certificate HTTPStrictTransportSecurity "Google, Mozilla: We're changing what you see in Chrome, Firefox...
Internet security systems in widespread use operate above the network layer, such as Transport Layer Security (TLS) that operates above the transport layer...
Evercookie when they are available on browsers: Standard HTTP cookies HTTPStrictTransportSecurity (HSTS) Local shared objects (Flash cookies) Silverlight...
HTTP header fields are a list of strings sent and received by both the client program and server on every HTTP request and response. These headers are...
customers by the end of 2024. A newer 2018 RFC 8461 called "SMTP MTA StrictTransportSecurity (MTA-STS)" aims to address the problem of active adversary by...
Opportunistic TLS (Transport Layer Security) refers to extensions in plain text communication protocols, which offer a way to upgrade a plain text connection...
Foundation implemented mandatory encryption (HTTPS) for its projects. It used HTTPStrictTransportSecurity (HSTS) technology, so users using a newer version...
the protocol was referred to as "MQ Telemetry Transport". Subsequent versions released by OASIS strictly refers to the protocol as just "MQTT", although...
model that increased security as well as reliability. HTTP.sys was introduced in IIS 6.0 as an HTTP-specific protocol listener for HTTP requests. Also each...
accessed and transported with the Hypertext Transfer Protocol (HTTP), which may optionally employ encryption (HTTP Secure, HTTPS) to provide security and privacy...
This list of countries by rail transport network size based on length of rail lines. For the purposes of this page, railway has been defined as a fixed...
protocols within OSI. Transport Layer Security (TLS) does not strictly fit inside the model either. It contains characteristics of the transport and presentation...