747
Downloads
670
Downloads of v 1.0.1
2011-03-18
Last update
HTTP Strict Transport Security
1.0.1
HTTP Strict Transport Security (HSTS) describes a method for a web site to tell client browsers that they should only interact with it over secure transport, i.e. TLS Whilst there have been browser plugins which support this draft specification, support for HSTS was announced for v4 of Google Chrome for v4 of Mozilla Firefox. Hopefully Microsoft Internet Explorer 9 and Opera will also adopt this.
Why is it important? Some attacks mean that TLS is vulnerable if there are redirects from non-TLS (e.g. http://www.example.com) to TLS (https://www.example.com) content. And if part, or all, of your web site is only meant to be accessed over SSL, HSTS should be implemented now, ready for mainstream adoption.
Further details are provided on the W3C page at Strict Transport Security (STS) and the draft IETF specification is at HTTP Strict Transport Security (HSTS).
More information can be found in Security Now podcast 262. http://media.GRC.com/sn/SN-262.mp3
UPDATES:
Added ability to opt out of applying checks to localhost and instructions document.
To install HTTP Strict Transport Security, run the following command in the Package Manager Console
PM> Install-Package HSTS
Owners
m1dst
Authors
Tags
Dependencies
This package has no dependencies.
Version History
| Version | Downloads | Last updated |
|---|---|---|
| HTTP Strict Transport Security 1.0.1 | 670 | Friday, March 18 2011 |
| HTTP Strict Transport Security 1.0 | 77 | Thursday, March 10 2011 |