Security also: HTTP Strict Transport Security

HSTS

Tells the browser: "no plaintext, ever again, for this domain".

In plain terms

Stops downgrade attacks once cached. The HSTS preload list ships in browsers and closes the first-visit gap.

Origin

RFC 6797 (2012). Solved the "first request is plaintext" attack window once a domain had been visited once. Chrome and Firefox ship a hard-coded preload list so even the first visit is secure.

Where it shows up in production

Gmail / Banking sites Long max-age + includeSubDomains + preload. Plain-text http:// requests never reach the network.
HSTS preload list Single source list at hstspreload.org — 100k+ domains shipped into Chrome, Firefox, Safari, Edge.

On Semicolony

Guide https

Sources & further reading

RFC RFC 6797 — HTTP Strict Transport Security
Docs hstspreload.org

Found this useful?