• Home
  • Archive
  • Tools
  • Contact Us

The Customize Windows

Technology Journal

  • Cloud Computing
  • Computer
  • Digital Photography
  • Windows 7
  • Archive
  • Cloud Computing
  • Virtualization
  • Computer and Internet
  • Digital Photography
  • Android
  • Sysadmin
  • Electronics
  • Big Data
  • Virtualization
  • Downloads
  • Web Development
  • Apple
  • Android
Advertisement
You are here: Home » What is HTTP Strict Transport Security (HSTS) Preload List?

By Abhishek Ghosh September 11, 2014 4:33 pm Updated on September 11, 2014

What is HTTP Strict Transport Security (HSTS) Preload List?

Advertisement

HTTP Strict Transport Security (HSTS)? HSTS Preload List? Are they appearing as new words? Not exactly, it is a thing which the major three browsers is trying to implement, there are related works since 2012. In this article, we have discussed the theoretical aspect of HTTP Strict Transport Security (HSTS) and will explain what is HSTS Preload List. In the upcoming articles, we will show you, how to properly configure your server for making it eligible to be included in the HSTS Preload List.

 

What is HTTP Strict Transport Security (HSTS) and What is HSTS Preload List?

 

Google Chrome maintains the HSTS preload list and other browsers including Firefox and Safari uses the same list. So, if we can pass the test, we actually getting included in the list for the three browsers.

WordPress is the most commonly used CMS/Blogging software, Ubuntu probably is used most commonly for the cloud servers and Ngnix becoming most popular web server software. So, our guides will be oriented towards server side configuration for these setups. We need to know the theory first.

Advertisement

---

HTTP Strict Transport Security (HSTS) is defined by IEEE (and copied by Wikipedia) as a web security policy by which a web server declares compatible user agents (like a web browser ) that must interact with them only connections through HTTP Secure / HTTPS protocol. HSTS is a standards protocol and is specified in RFC 6797. HSTS policy is communicated by the server to the user agent through a HTTP response header called “Strict-Transport-Security”. The HSTS policy specifies a period of time during which the user agent must only access the server safely. This website uses HTTP Strict Transport Security (HSTS). It can be easily tested with cURL in OS X or GNU Linux or Microsoft Windows ( Read cURL for Microsoft Windows) :

Vim
1
2
3
curl -s -D- https://thecustomizewindows.com | grep Strict
# bigger full header
curl -I https://thecustomizewindows.com

Here is an animated presentation :

What is HTTP Strict Transport Security HSTS Preload List

Here is the cURL header and the test as simple screenshot :

What is HTTP Strict Transport Security HSTS Preload List

Actually after passing, you need to submit here :

Vim
1
https://hstspreload.appspot.com

After a successful submission, you will see response like this screenshot :

HSTS Preload List

The HSTS specification was published as RFC 6797 on November 19, 2012 after being approved on October 2, 2012 as a Proposed Standard. HSTS specification is based on original work of Jackson and Barth. When the HSTS policy is active for a website, compatible user agent automatically replaces all the unsafe by secure links before accessing the server. What is basically why the word Preload is appended. It will be invalid with a self-signed certificate. Actually it is for prevention of man-in-the-middle attack.

Browsers that support HSTS :

Google Chrome and Chromium from 4.0.211.0 release.
Firefox since August 25, 2010
Opera 12
Newer Safari
Internet Explorer does not support HSTS (as can be expected! Worse – on Win XP plus IE 6 the basic fails)

We can implement HSTS on Nginx, Apache, Lighttpd or via Programing Language like PHP, Perl, Ruby on Rails, JSP, CFML. Theoretical details can be found here :

Vim
1
http://chimera.labs.oreilly.com/books/1230000000545/ch04.html#ALPN

Implementation on Apache2

Vim
1
2
3
Header set Strict-Transport-Security "max-age=500"
Header append Strict-Transport-Security includeSubDomains
# preload not shown

Implementation on Lighttpd

Vim
1
2
3
4
5
server.modules += ( "mod_setenv" )
$HTTP["scheme"] == "https" {
    setenv.add-response-header  = ( "Strict-Transport-Security" => "max-age=31536000")
}
# preload not shown

Implementation on Nginx

Vim
1
2
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';
# yeah with preload

Implementation with PHP

Vim
1
2
3
4
5
6
7
8
9
10
$use_sts = true;
if ($use_sts) {
    if (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off') {
        header('Strict-Transport-Security: max-age=500');
    } else {
        header('Status-Code: 301');
        header('Location: https://'.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']);
        exit;
    }
}

We gave some basic examples. So – HSTS, HSTS preload and HSTS preload list are actually different things, if you are not very much techie person. The list, as it means; is a list. HSTS is a defined thing. You can see here for the list part :

Vim
1
2
https://wiki.mozilla.org/Privacy/Features/HSTS_Preload_List
https://blog.mozilla.org/security/2012/11/01/preloading-hsts/

Tagged With hsts preload ready , HSTS preload list , hsts , what is hsts , HSTS preload , hsts preloading , what is hsts preloading , how to Preload HSTS , firefox google hsts , HSTS pre-load ready

This Article Has Been Shared 589 Times!

Facebook Twitter Pinterest
Abhishek Ghosh

About Abhishek Ghosh

Abhishek Ghosh is a Businessman, Surgeon, Author and Blogger. You can keep touch with him on Twitter - @AbhishekCTRL.

Here’s what we’ve got for you which might like :

Articles Related to What is HTTP Strict Transport Security (HSTS) Preload List?

  • Embedding Streaming Video From Rackspace Cloud Files in WordPress

    Embedding Streaming Video From Rackspace Cloud Files in WordPress needs few copy paste and click works to properly show on your webpage without any plugin.

  • Browser Based Chat, Screen Sharing System With HTML5 WebRTC

    Browser based chat including video chat, Screen Sharing are possible with HTML5 WebRTC. Here are some resources which you can run on Cloud as App.

  • apiOmat Backend as a Service for Mobile and Web Apps

    ApiOmat is typical Backend as a Service for Mobile and Web Apps. Mobile cloud backend as a service enable cross platform app development.

  • Vyatta Network OS and Vyatta Network Appliance

    Vyatta Network OS is Deb Based & works as software-based virtual router, virtual firewall & VPN. We have discussed to the fullest for Rackspace Cloud.

  • Cloud Computing and Social Networks in Mobile Space

    Cloud Computing and Social Networks in Mobile Space Plays a Big Role in Lives in society, as Each Person Lives in a Large Network of Friends, All of Them Are Not Known.

Additionally, performing a search on this website can help you. Also, we have YouTube Videos.

Take The Conversation Further ...

We'd love to know your thoughts on this article.
Meet the Author over on Twitter to join the conversation right now!

If you want to Advertise on our Article or want a Sponsored Article, you are invited to Contact us.

Contact Us

Subscribe To Our Free Newsletter

Get new posts by email:

Please Confirm the Subscription When Approval Email Will Arrive in Your Email Inbox as Second Step.

Search this website…

 

Popular Articles

Our Homepage is best place to find popular articles!

Here Are Some Good to Read Articles :

  • Cloud Computing Service Models
  • What is Cloud Computing?
  • Cloud Computing and Social Networks in Mobile Space
  • ARM Processor Architecture
  • What Camera Mode to Choose
  • Indispensable MySQL queries for custom fields in WordPress
  • Windows 7 Speech Recognition Scripting Related Tutorials

Social Networks

  • Pinterest (22.1K Followers)
  • Twitter (5.8k Followers)
  • Facebook (5.7k Followers)
  • LinkedIn (3.7k Followers)
  • YouTube (1.3k Followers)
  • GitHub (Repository)
  • GitHub (Gists)
Looking to publish sponsored article on our website?

Contact us

Recent Posts

  • Big Data in Sports May 20, 2022
  • FaaS Versus PaaS Deployment: What You Should Know May 18, 2022
  • What Is A Digital Media Consultancy? May 17, 2022
  • How Artificial Intelligence (AI) Is Changing The Way We Play Bingo May 16, 2022
  • Why You Need A Big Data Consultant May 15, 2022

About This Article

Cite this article as: Abhishek Ghosh, "What is HTTP Strict Transport Security (HSTS) Preload List?," in The Customize Windows, September 11, 2014, May 21, 2022, https://thecustomizewindows.com/2014/09/http-strict-transport-security-hsts/.

Source:The Customize Windows, JiMA.in

This website uses cookies. If you do not want to allow us to use cookies and/or non-personalized Ads, kindly clear browser cookies after closing this webpage.

Read Privacy Policy.

PC users can consult Corrine Chorney for Security.

Want to know more about us? Read Notability and Mentions & Our Setup.

Copyright © 2022 - The Customize Windows | dESIGNed by The Customize Windows

Copyright  · Privacy Policy  · Advertising Policy  · Terms of Service  · Refund Policy