More Secure For You:
As previously communicated to you, I am pleased to be able to announce that the address of this website is now hardcoded into your browser via the HSTS preload list.
HTTP Strict Transport Security (HSTS) is a web security policy mechanism which helps to protect websites against protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers (or other complying user agents) should only interact with it using secure HTTPS connections.
The most important security vulnerability that HSTS can fix is SSL-stripping man-in-the-middle attacks. The SSL stripping attack works (on TLS as well) by transparently converting a secure HTTPS connection into a plain HTTP connection. The user can see that the connection is insecure, but crucially there is no way of knowing whether the connection should be secure.
Many websites do not use TLS/SSL, therefore there is no way of knowing (without prior knowledge) whether the use of plain HTTP is due to an attack, or simply because the website hasn’t implemented TLS/SSL. Additionally, no warnings are presented to the user during the downgrade process, making the attack fairly subtle to all but the most vigilant.
HSTS addresses this problem by informing the browser that connections to the site should always use TLS/SSL. To be included in the HSTS Pre-load list, a website must:
- Serve a valid certificate.
- Redirect from HTTP to HTTPS on the same host, if you are listening on port 80.
- Serve all subdomains over HTTPS.
In particular, you must support HTTPS for the www subdomain if a DNS record for that subdomain exists.
- Serve an HSTS header on the base domain for HTTPS requests:
The max-age must be at least eighteen weeks (10886400 seconds).
The includeSubDomains directive must be specified.
The preload directive must be specified.
If you are serving an additional redirect from your HTTPS site, that redirect must still have the HSTS header (rather than the page it redirects to).