Y
Hacker News
new
|
ask
|
show
|
jobs
by
matt_heimer
4632 days ago
I don't get this header. Wouldn't the man-in-the-middle that is using something like sslstrip also be able to strip out any header they choose to?
1 comments
daeken
4632 days ago
Yes, this is the case, but
only
in the first request. As soon as an HTTP user agent gets such an HSTS header, it will only communicate via HTTPS until
max-age
expires.
link
davis_m
4632 days ago
Only if the browser supports HSTS. Many do not, especially mobile browsers.
link