HSTS

الويب

التعريف

أمان النقل الصارم لـ HTTP. آلية سياسة أمان الويب التي تأمر المتصفحات بالوصول إلى الموقع عبر HTTPS فقط، مما يمنع هجمات تخفيض مستوى البروتوكول وسرقة ملفات تعريف الارتباط. يُهيَّأ عبر رأس استجابة Strict-Transport-Security.

Why HSTS Exists

A browser visiting http://example.com might be silently redirected to HTTPSHTTP Secure. The encrypted version of HTTP that uses TLS to protect data in transit between a browser and a web server. Identified by the padlock icon in browsers and the https:// URL scheme. by the server — but that first unprotected request is a window for a man-in-the-middle to intercept or downgrade the connection. HTTP Strict Transport Security closes this gap by instructing browsers to always use HTTPS for a domain, even before the first redirect fires.

The Strict-Transport-Security Header

HSTS is delivered via a response header: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload. The max-age directive (in seconds) tells browsers how long to enforce HTTPS-only behavior. includeSubDomains extends the policy to all subdomains. preload opts the domain into browser-maintained lists (Chrome, Firefox, Safari) that enforce HSTS before any network request occurs — eliminating the first-visit vulnerability entirely.

Interactions with Other Security Headers

HSTS works alongside CSPContent Security Policy. An HTTP header that specifies which sources of content (scripts, styles, images) a browser is allowed to load for a page, providing a strong defense against XSS and data injection attacks. and other security headers to form a defense-in-depth posture. Once HSTS is active, HTTP Status CodesThree-digit codes returned by a web server indicating the result of a request. Organized into classes: 1xx (informational), 2xx (success), 3xx (redirection), 4xx (client error), and 5xx (server error). like 301 redirects from HTTP to HTTPS are redundant for returning visitors. Be cautious: setting a long max-age with includeSubDomains on a domain with HTTP-only subdomains will break those subdomains for all affected browsers until the policy expires. Use HTTP Header Analyzer to inspect the headers your server is currently returning and verify HSTS is correctly configured.

المصطلحات ذات الصلة

المزيد في الويب