0Pricing
Cryptology Academy · Lesson

HTTP Downgrade and Mixed Content Risks

Understand how attackers exploit HTTP fallback and why mixed content breaks security guarantees.

HTTP Strict Transport Security

The HTTP Strict Transport Security (HSTS) header instructs browsers to only connect to a site over HTTPS for a specified period. Once received, the browser refuses HTTP connections and automatically upgrades http:// URLs to https://.

A typical HSTS header: "Strict-Transport-Security: max-age=31536000; includeSubDomains; preload". The max-age is in seconds (31536000 = 1 year). Once cached, the browser enforces HTTPS for one year without any server involvement.

HSTS max-age and includeSubDomains

The max-age parameter sets how long the browser should enforce HTTPS-only connections, in seconds. Recommended values are at least one year (31536000) for production sites.

The includeSubDomains directive extends HSTS enforcement to all subdomains. This prevents attacks where an attacker downgrades a subdomain connection to HTTP and uses it to steal cookies set without the Secure flag on the main domain.

All lessons in this course

  1. The Padlock Icon: What It Really Means
  2. How Websites Get SSL Certificates
  3. TLS Certificate Warnings and What to Do
  4. HTTP Downgrade and Mixed Content Risks
← Back to Cryptology Academy