Tuesday, 19 March 2013

HSTS in TeamMentor

The latest version of TeamMentor adds the extra HSTS protection (see issue teammentor.net should use HSTS)

But what does this mean in practice?

If you look at the source code, you will see that all requests


are injected with a number of extra headers.

One of them is the HSTS one, which is called ‘Strict-Transport-Security


What this header will do, is to tell the browser to rewrite all links as https and to always use SSL to access the site (even if the user types the address using http).

As mentioned in the HSTS protection article, the only issue is that the first request made goes in HTTP:


But the really nice thing about HSTS is that if I now do this on my browser:


Not only I get the https version:


There was not an HTTP request made: (i.e. the first request was the HTTPs one)


1 comment:

Michael Hidalgo said...

Now that you brings this topic to our attention, I do have three comments:
1. This is a very good stuff and I'm glad it is now part of TeamMentor.
2.I believe this approach should be adopted by Google to solve Blogger SSL issues, and for reference I found your blog post about that, it was written last year.

3.I found an interesting article from HTML5Rocks.com folks about it which is pretty cool.