Web Dev Break Episode 5

Make your app safer with HSTS

HSTS (HTTP Strict Transport Security) is a wonderfully simple mechanism for protecting your users from certain attacks that HTTPS alone cannot prevent.

Eliot Sykes

Show notes and links for this episode follow below.

Sketchnotes on Make your app safer with HSTS

The heartbleed bug that severely compromises the security of the websites it affects.

The EFF says sites must use HSTS in order to be secure, and suggests not enough web developers know about it yet.

Moxie Marlinspike on SSL stripping, the concept he introduced in 2009, and the Wikipedia entry for SSL stripping.

The Chromium project has instructions on how to get your site on the STS preloaded list. The Mozilla Security Blog on preloading HSTS. Sincere thanks to Adam Langley (@agl__) for taking the time to answer questions about the Chromium list.

“Can I use Strict Transport Security?” shows browser support. Follow the progress of IE’s upcoming support for HSTS (“In Development” in April 2014).

OWASP on setting up the Strict-Transport-Security header for various servers.