Tuesday 19 March 2013

HSTS in TeamMentor

The latest version of TeamMentor adds the extra HSTS protection (see issue teammentor.net should use HSTS)

But what does this mean in practice?

If you look at the source code, you will see that all requests

image

are injected with a number of extra headers.

One of them is the HSTS one, which is called ‘Strict-Transport-Security

image

What this header will do, is to tell the browser to rewrite all links as https and to always use SSL to access the site (even if the user types the address using http).

As mentioned in the HSTS protection article, the only issue is that the first request made goes in HTTP:

image

But the really nice thing about HSTS is that if I now do this on my browser:

image

Not only I get the https version:

image

There was not an HTTP request made: (i.e. the first request was the HTTPs one)

image