HTST – Strict Transport Security

I recently stumbled across a pretty cool, but also painful if you don’t know it, functionality within the HTTP/S protocol.

It is called HTST or HTTP Strict Transport Security. Basically it tells the browser over a header to request everything from this server only via HTTPS instead of HTTP.
The first request will set something like a cookie, but it is, depending on the browser, not a regular cookie. For example Safari stores this information in a file called HTST.plist.

The header sets a lifetime like for a cookie.

In my specific case, I had an entire server redirected to https by a rewrite rule, but one specific URL redirected to http. HTST avoided that drastically and it took me a few hours and some external help to figure this out.

Details about my case can be found here.

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: