-
Notifications
You must be signed in to change notification settings - Fork 16
/
HTTPS.protocol.txt
35 lines (30 loc) · 2.41 KB
/
HTTPS.protocol.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
HTTPS
HTTPS:
- using HTTP over SSL/TLS over TCP
- initiating connection:
- https:// protocol
- Upgrade [C] for HTTPS:
- should not be used as it leaves beginning of communication unencrypted
- mixed content:
- HTTPS needs to be enable on all website resources, including scripts, all pages, etc., otherwise could attack on specific
unsecure resources
- this includes cookies (which should use "secure" attribute)
- solutions:
- HSTS
- HTTP -> HTTPS permanent redirects, or using Link; rel="canonical" [S]
- use relative URIs
Strict-Transport-Security: max-age=NUM[; includeSubDomains] [S]:
- also called HSTS
- goal:
- redirects visitors visiting the domain using HTTP to using HTTPS instead, for a specific period of time (in seconds)
- does not allow visiting HTTPS page if certificate not ok
- Must be supplied over HTTPS, so:
- does not work if initial connection is HTTP, or in the time window when max-age expired.
- However, some browsers include a preloaded list of websites using this header.
- Prevents SSL-stripping (man-in-the-middle attacks that convert request from https to http).
- can add manually with about:net-internals#hsts (Chrome)
PADDED flag on HEADERS|DATA|PUSH_PROMISE (HTTP/2):
- adds null-padding at end and padding length at beginning
- used for security