HTTP Strict Transport Security(HSTS):

• HSTS browser header tell browser to load a site only in secure(HTTPS) scheme.
• It is based on Trust On First Request(TOFU) paradigm
• 1st request:
  • HTTP Status: 301 with Location header.
  • Response will set header: Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
• 2nd request
  • HTTP Status: 307 Internal redirect with Location header.
  • Response will set header: Non-Authoritative-Reason: HSTS
• Max-age:
  • declares the period for which insecure requests cannot be made.
  • period is in seconds.
  • 31536000 seconds is equal to 1 year.
  • Sliding expiration.
• includeSubdomains
  • The scope of HSTS can be extended to all sub domains.
  • This is required for the preload attribute
• Tools:
  • chrome://net-internals/#hsts : Use this page to manually set HSTS header in chrome.
  • https://hstspreload.org/ : You can preload HSTS so that it is baked in the browser itself by registering at this site. This eliminates TOFU weakness.

HTTP Public Key Pinning(HPKP):

• Rouge certificate
• Allows trusted certificates to be white listed
• Response will set header:
  Public-Key-Pins: pin-sha256=[pin 1];pin-sha256=[pin 2] max-age=2592000; report-url=[url]; includeSubdomains

CSP Header

• Click jacking

Content-Security-Policy:
script-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’[uris];style-src ‘self’ ‘unsafe-inline’[uris];img-src ‘self’[uris];font-src ‘self’[uris];report-url[uri]