HSTS

Web

Định nghĩa

Bảo mật Truyền tải Nghiêm ngặt HTTP (HTTP Strict Transport Security). Cơ chế chính sách bảo mật web hướng dẫn trình duyệt chỉ truy cập trang qua HTTPS, ngăn chặn tấn công hạ cấp giao thức và chiếm cookie. Được cấu hình qua header phản hồi Strict-Transport-Security.

Why HSTS Exists

A browser visiting http://example.com might be silently redirected to HTTPSHTTP Secure. The encrypted version of HTTP that uses TLS to protect data in transit between a browser and a web server. Identified by the padlock icon in browsers and the https:// URL scheme. by the server — but that first unprotected request is a window for a man-in-the-middle to intercept or downgrade the connection. HTTP Strict Transport Security closes this gap by instructing browsers to always use HTTPS for a domain, even before the first redirect fires.

The Strict-Transport-Security Header

HSTS is delivered via a response header: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload. The max-age directive (in seconds) tells browsers how long to enforce HTTPS-only behavior. includeSubDomains extends the policy to all subdomains. preload opts the domain into browser-maintained lists (Chrome, Firefox, Safari) that enforce HSTS before any network request occurs — eliminating the first-visit vulnerability entirely.

Interactions with Other Security Headers

HSTS works alongside CSPContent Security Policy. An HTTP header that specifies which sources of content (scripts, styles, images) a browser is allowed to load for a page, providing a strong defense against XSS and data injection attacks. and other security headers to form a defense-in-depth posture. Once HSTS is active, HTTP Status CodesThree-digit codes returned by a web server indicating the result of a request. Organized into classes: 1xx (informational), 2xx (success), 3xx (redirection), 4xx (client error), and 5xx (server error). like 301 redirects from HTTP to HTTPS are redundant for returning visitors. Be cautious: setting a long max-age with includeSubDomains on a domain with HTTP-only subdomains will break those subdomains for all affected browsers until the policy expires. Use HTTP Header Analyzer to inspect the headers your server is currently returning and verify HSTS is correctly configured.

Thuật ngữ liên quan

Thêm trong Web