{"id":370,"date":"2010-08-27T10:16:42","date_gmt":"2010-08-27T17:16:42","guid":{"rendered":"http:\/\/blog.mozilla.org\/security\/?p=370"},"modified":"2016-09-30T02:56:09","modified_gmt":"2016-09-30T09:56:09","slug":"http-strict-transport-security","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/security\/2010\/08\/27\/http-strict-transport-security\/","title":{"rendered":"HTTP Strict Transport Security"},"content":{"rendered":"<p>A while ago, we talked about <a href=\"http:\/\/blog.mozilla.org\/security\/2009\/07\/27\/locking-up-the-valuables-opt-in-security-with-forcetls\/\">Force-TLS<\/a> that lets sites say &#8220;hey, only access me over HTTPS in the future&#8221; and the browser listens. Well, this idea has been solidifed into <a href=\"http:\/\/tools.ietf.org\/html\/draft-hodges-strict-transport-sec\">a draft spec<\/a> for HTTP Strict Transport Security (HSTS) and we&#8217;ve landed support for it into our source tree. This means that HSTS will be shipped with Firefox 4, and will be deployed as soon as the next beta release.<\/p>\n<p>We&#8217;re excited about this because it enables sites to easily give their users lots more protection from man-in-the-middle attacks when they&#8217;re using an untrustworthy network.<\/p>\n<p>Grab a <a href=\"http:\/\/nightly.mozilla.org\">nightly build<\/a>, and let us know what you think! The folks over at <a href=\"https:\/\/www.paypal.com\">PayPal<\/a> are serving a Strict-Transport-Security header, if you&#8217;d like to check it out.<\/p>\n<p>More Info:<\/p>\n<ul>\n<li><a href=\"http:\/\/blog.sidstamm.com\/2010\/08\/http-strict-transport-security-has.html\">A bit more about HSTS<\/a><\/li>\n<li><a href=\"http:\/\/hacks.mozilla.org\/2010\/08\/firefox-4-http-strict-transport-security-force-https\/\">Mozilla Hacks blog entry<\/a><\/li>\n<li><a href=\"http:\/\/tools.ietf.org\/html\/draft-hodges-strict-transport-sec\">Draft specification (technical details)<\/a><\/li>\n<\/ul>\n<p>Sid Stamm<br \/>\nConspiracy Theorist<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A while ago, we talked about Force-TLS that lets sites say &#8220;hey, only access me over HTTPS in the future&#8221; and the browser listens. Well, this idea has been solidifed &hellip; <a class=\"go\" href=\"https:\/\/blog.mozilla.org\/security\/2010\/08\/27\/http-strict-transport-security\/\">Read more<\/a><\/p>\n","protected":false},"author":1438,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[30,69,45499],"tags":[],"coauthors":[45516],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>HTTP Strict Transport Security - Mozilla Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.mozilla.org\/security\/2010\/08\/27\/http-strict-transport-security\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"mozilla\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2010\/08\/27\/http-strict-transport-security\/\",\"url\":\"https:\/\/blog.mozilla.org\/security\/2010\/08\/27\/http-strict-transport-security\/\",\"name\":\"HTTP Strict Transport Security - Mozilla Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\"},\"datePublished\":\"2010-08-27T17:16:42+00:00\",\"dateModified\":\"2016-09-30T09:56:09+00:00\",\"author\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/70ae25c16f09d053c6d8b5eac29dbda9\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2010\/08\/27\/http-strict-transport-security\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.mozilla.org\/security\/2010\/08\/27\/http-strict-transport-security\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2010\/08\/27\/http-strict-transport-security\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.mozilla.org\/security\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"HTTP Strict Transport Security\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\",\"url\":\"https:\/\/blog.mozilla.org\/security\/\",\"name\":\"Mozilla Security Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/70ae25c16f09d053c6d8b5eac29dbda9\",\"name\":\"mozilla\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/98138a294cb6e19a68b02ef8ca9be2dc\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/75d2017e019c87560fe5d148a64659dc?s=96&d=identicon&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/75d2017e019c87560fe5d148a64659dc?s=96&d=identicon&r=g\",\"caption\":\"mozilla\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"HTTP Strict Transport Security - Mozilla Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.mozilla.org\/security\/2010\/08\/27\/http-strict-transport-security\/","twitter_misc":{"Written by":"mozilla","Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.mozilla.org\/security\/2010\/08\/27\/http-strict-transport-security\/","url":"https:\/\/blog.mozilla.org\/security\/2010\/08\/27\/http-strict-transport-security\/","name":"HTTP Strict Transport Security - Mozilla Security Blog","isPartOf":{"@id":"https:\/\/blog.mozilla.org\/security\/#website"},"datePublished":"2010-08-27T17:16:42+00:00","dateModified":"2016-09-30T09:56:09+00:00","author":{"@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/70ae25c16f09d053c6d8b5eac29dbda9"},"breadcrumb":{"@id":"https:\/\/blog.mozilla.org\/security\/2010\/08\/27\/http-strict-transport-security\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.mozilla.org\/security\/2010\/08\/27\/http-strict-transport-security\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/blog.mozilla.org\/security\/2010\/08\/27\/http-strict-transport-security\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.mozilla.org\/security\/"},{"@type":"ListItem","position":2,"name":"HTTP Strict Transport Security"}]},{"@type":"WebSite","@id":"https:\/\/blog.mozilla.org\/security\/#website","url":"https:\/\/blog.mozilla.org\/security\/","name":"Mozilla Security Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/70ae25c16f09d053c6d8b5eac29dbda9","name":"mozilla","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/98138a294cb6e19a68b02ef8ca9be2dc","url":"https:\/\/secure.gravatar.com\/avatar\/75d2017e019c87560fe5d148a64659dc?s=96&d=identicon&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/75d2017e019c87560fe5d148a64659dc?s=96&d=identicon&r=g","caption":"mozilla"}}]}},"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/370"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/users\/1438"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/comments?post=370"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/370\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/media?parent=370"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/categories?post=370"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/tags?post=370"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/coauthors?post=370"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}