HTTP Downgrade and Mixed Content Risks
Understand how attackers exploit HTTP fallback and why mixed content breaks security guarantees.
HTTP Strict Transport Security
The HTTP Strict Transport Security (HSTS) header instructs browsers to only connect to a site over HTTPS for a specified period. Once received, the browser refuses HTTP connections and automatically upgrades http:// URLs to https://.
A typical HSTS header: "Strict-Transport-Security: max-age=31536000; includeSubDomains; preload". The max-age is in seconds (31536000 = 1 year). Once cached, the browser enforces HTTPS for one year without any server involvement.
HSTS max-age and includeSubDomains
The max-age parameter sets how long the browser should enforce HTTPS-only connections, in seconds. Recommended values are at least one year (31536000) for production sites.
The includeSubDomains directive extends HSTS enforcement to all subdomains. This prevents attacks where an attacker downgrades a subdomain connection to HTTP and uses it to steal cookies set without the Secure flag on the main domain.
All lessons in this course
- The Padlock Icon: What It Really Means
- How Websites Get SSL Certificates
- TLS Certificate Warnings and What to Do
- HTTP Downgrade and Mixed Content Risks