My registrar had an offer on domains so I figured I'd grab one and test out the HSTS preload process as it currently stands. I want to track how easy it is to preload and how long it takes for full browser coverage in vendor preload lists. What's preloading? HSTS,…
Tag: HSTS
Total 23 Posts
I did a scan of the Alexa Top 1 Million back in August 2015 and published the results for everyone to see. Having just completed another scan of the current Alexa Top 1 Million with additional metrics being tracked, I thought I'd compare the results and see how much progress…
The Chrome Security Team have just announced that they're removing the yellow warning triangle from pages with mixed content. From now on, these pages will show with the same neutral, grey icon as HTTP pages. They claim that this will help with the migration from HTTP to HTTPS and here's…
With my recent interest in security based HTTP headers like CSP and HPKP following the launch of my new service report-uri.io, I found myself wondering just how many people out there are actually taking advantage of the huge security gains on offer from such simple features. What are HTTP…
Following the recent announcement of my new service, https://securityheaders.io, I thought I'd cover some more of the security based HTTP response headers out there and look at how to harden your existing HTTP response headers. Introduction HTTP Response headers are name-value pairs of strings sent back from a…
After looking around for a quick and easy way to analyse the HTTP response headers of websites, I regularly found myself looking in Chrome Dev Tools. This isn't the most user friendly method of extracting this information and trying to ascertain just what was going on wasn't always easy. This…
HSTS is the great little response header that tells a browser to always use SSL/TLS to communicate with your site. It doesn't matter if the user, or a link they are clicking, specifies HTTP, HSTS will remove the ability for a compatible browser to use HTTP and will enforce…
The SSL Test provided by Qualys does an incredibly thorough evaluation of the SSL configuration on your server. It's a great way to get a feel for whether or not you're doing SSL right. In this blog I'm going to walk through the steps required to get an A+ rating,…
The HTTP Strict Transport Security (HSTS) header allows a host to enforce the use of HTTPS on the client side. By informing the browser to only use HTTPS, even if the user specifies HTTP as the protocol, the browser will enforce the use of HTTPS. This protects the user from…
Last week, there was large scale cyber attack on Polish internet users that specifically targeted online banking activities. By modifying the DNS settings on victim's routers, the attackers were able to redirect users to malicious servers and intercept online banking traffic to modify and steal it during transit. This resulted…
