Collaborate Disseminate
We have added HSTS policy at Akamai level (domain). When we Intercept the request using burp we dont see HSTS policy is getting added in response, in case we hit site with http.
But with https we able to see the HSTS policy.
Issue is to fi… Continue reading HSTS Policy Not Appear in Burp Intercept Response
We have added HSTS policy at Akamai level (domain). When we Intercept the request using burp we dont see HSTS policy is getting added in response, in case we hit site with http.
But with https we able to see the HSTS policy.
Issue is to fi… Continue reading HSTS Policy Not Appear in Burp Intercept Response
I want to clear my doubt that Is there any issues coming from adding ‘Strict-Transport-Security’ and ‘X-XSS-Protection’ headers ?
Header set Strict-Transport-Security "max-age=10886400;
Header set X-XSS-Protection "1; mode=block&… Continue reading Headers X-XSS-Protection issue
i am trying to secure my apache web server myself before go live so i added these security headers to my apache site.conf file after lot of reading and googling. i know we can not secure a server 100% but 99% i know there are lot of securi… Continue reading securing apache webserver using security headers
If I have HSTS enforced on a web server with HTTPS 443, but HTTP port 80 is still open, does this make HTTP still accessible, or only for the first time before it’s added to the browser HSTS list?
I imagine best practice would be just to d… Continue reading HTTP and HSTS Web Server
Is there a point in being MITM nowadays since HTTPS makes it impossible to make sense of sniffed data and HSTS prevents SSL stripping?
I published the following diary on isc.sans.edu: “Obscure Wininet.dll Feature?“: The Internet Storm Center relies on a group of Handlers who are volunteers and offer some free time to the community besides our daily job. Sometimes, we share information between us about an incident or a problem that we are facing and
The post [SANS ISC] Obscure Wininet.dll Feature? appeared first on /dev/random.
can HSTS be considered asa remediation for the vulneraberabity "cookies are not protected by secure flag" for a PCI DSS auditor?
I recently discovered during a penetration test that the HSTS was returned by the application but in this format:
"Strict-TransportSecurity"
Instead of:
"Strict-Transport-Security"
Does this format mean that the header … Continue reading Is this HSTS HTTP Response Header Misconfigured?
If multiple Strict-Transport-Security headers are set with different settings (e.g. different max-age values), how will the browser behave? Does the browser just follow one of them, or simply error out and discard all? Is this behaviour di… Continue reading What happens if multiple Strict-Transport-Security headers are set in the HTTP response?