HTTP Strict Transport Security (HSTS)

GPTKB entity

Statements (49)
Predicate Object
gptkbp:instanceOf web security policy mechanism
gptkbp:abbreviation gptkb:HSTS
gptkbp:appliesTo web browsers
web servers
gptkbp:canBe gptkb:IIS
gptkb:Nginx
gptkb:Apache_HTTP_Server
gptkb:Tomcat
gptkb:Lighttpd
HTTP response header
gptkbp:canBeBypassedBy removing HSTS policy from browser
gptkbp:category Internet security
Web standards
gptkbp:definedIn gptkb:RFC_6797
gptkbp:effect forces future requests to use HTTPS
prevents users from bypassing invalid certificate warnings
gptkbp:enforcedBy use of HTTPS
gptkbp:headerName gptkb:Strict-Transport-Security
https://www.w3.org/2000/01/rdf-schema#label HTTP Strict Transport Security (HSTS)
gptkbp:introducedIn 2012
gptkbp:notEffectiveAgainst first connection over HTTP
gptkbp:parameter preload
includeSubDomains
max-age
gptkbp:preloadListMaintainedBy gptkb:Google
gptkbp:preloadListUsedBy major browsers
gptkbp:prevention man-in-the-middle attacks
SSL stripping attacks
gptkbp:purpose protect websites against cookie hijacking
protect websites against protocol downgrade attacks
gptkbp:recommendation gptkb:OWASP
gptkb:Mozilla_Observatory
gptkb:CIS_Benchmarks
gptkbp:relatedTo gptkb:SSL/TLS
gptkb:Content_Security_Policy_(CSP)
HTTPS
HTTP Public Key Pinning (HPKP)
gptkbp:requires initial HTTPS connection
gptkbp:securityRiskIf misconfigured max-age
not preloaded
not set for all subdomains
gptkbp:supportedBy gptkb:Google_Chrome
gptkb:Mozilla_Firefox
gptkb:opera
gptkb:Microsoft_Edge
gptkb:Safari
gptkbp:usedBy many major websites
gptkbp:bfsParent gptkb:RFC_6797
gptkbp:bfsLayer 7