HSTS – HTTP Strict Transport Security

What is it?

it is a policy mechanism that helps to protect websites against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking. rfc 6797

How does it works?

The HSTS Policy is communicated by the server to the user agent via an HTTP response header field named “Strict-Transport-Security”.

Is it the end solution?

Of course…not! The protection only applies after a user has visited the site at least once, relying on the principle of Trust on first use. The way this protection works is that a user entering or selecting a URL to the site that specifies HTTP, will automatically upgrade to HTTPS, without making an HTTP request, which prevents the HTTP man-in-the-middle attack from occurring.

The next step?

Submit domains for inclusion in Chrome’s HTTP Strict Transport Security (HSTS) preload list.

No matter what you read, do it or at list make a script