HSTS – Page 3 – WindowsTechs.com

What happens if multiple Strict-Transport-Security headers are set in the HTTP response?

Posted on February 22, 2021 by One Oasis

If multiple Strict-Transport-Security headers are set with different settings (e.g. different max-age values), how will the browser behave? Does the browser just follow one of them, or simply error out and discard all? Is this behaviour di… Continue reading What happens if multiple Strict-Transport-Security headers are set in the HTTP response?→

How do browsers get HSTS preload data?

Posted on February 5, 2021 by MechMK1

I recently wrote this answer, in which I explained the process of HSTS preloading. However, I noticed that I didn’t actually know the exact mechanism for fetching preload information works. I have checked the Chromium Documentation, MDN We… Continue reading How do browsers get HSTS preload data?→

Will implementing HSTS cause parts of my website which use IE6 compatibility mode to break? [migrated]

Posted on December 27, 2020 by gordon613

I am converting a legacy system designed for IE6 to work on modern browsers.
Those parts of the site which have not yet been converted, will only work on Internet Explorer, and the IE6 emulation is provided via the following tag.
<meta … Continue reading Will implementing HSTS cause parts of my website which use IE6 compatibility mode to break? [migrated]→

HSTS without auto-upgrading HTTP to HTTPS

Posted on October 21, 2020 by Roddy of the Frozen Peas

I have a website hosted at https://example.com/mysite. If you navigate to http://example.com/mysite, you get a 404. Everything that comes in over HTTP gets 404’d.
I was dinged on a security audit because I wasn’t auto-upgrading HTTP to HTT… Continue reading HSTS without auto-upgrading HTTP to HTTPS→

"google.com" is not HSTS protected?

Posted on October 6, 2020 by el_tigro

Issue:
Oftentimes people enter google.com directly in the browser’s address bar without including either the http:// or https:// prefixes.
Using Chrome DevTools on a fresh incognito session, I ran the following experiment:

STEPS:
——-… Continue reading "google.com" is not HSTS protected?→

MITM attack with HSTS implemented websites

Posted on August 25, 2020 by user241274

I want to perform a Man-in-the-Middle attack against my own network for educational purposes.
I want the following scenario: Perform a MITM attack with Bettercap, navigate to a website and accept the certificate warning,which means accept … Continue reading MITM attack with HSTS implemented websites→

MITM attack with HSTS implemented websites

Posted on August 25, 2020 by user241274

Initial requests sent over HTTP by default [duplicate]

Posted on August 16, 2020 by user241274

Before the invention of HSTS security policy, if a user didn’t specify the protocol in the URL, were all the initial requests sent over HTTP by default for every website?

Continue reading Initial requests sent over HTTP by default [duplicate]→

Specific website does not load when I proxy it through Burpsuite with Firefox [closed]

Posted on July 9, 2020 by user238136

Some specific websites do not load when I proxy them with Burp Suite. I use Firefox and I can not find any solution to disable security in Firefox.
In this question there is mentioned a solution for chrome.
Please guide me to find an equiv… Continue reading Specific website does not load when I proxy it through Burpsuite with Firefox [closed]→

Does HSTS prevent packet capturing in Wireshark

Posted on July 8, 2020 by Joel Deleep

If a site is enforcing HSTS, does that prevent packet capturing of a GET requests in Wireshark?
If it prevents it, is it possible to achieve the same using Bettercap or any other alternatives?
Scenario:
The response to the GET request is a… Continue reading Does HSTS prevent packet capturing in Wireshark→