|
|
|
|
|
|
by alexkon
6160 days ago
|
|
|
There is an improvement over an HTTP redirect to the HTTPS site. Such redirects usually occur in the beginning of every session (or, at least, of some sessions). An active attacker could intercept the redirect at any time a-la Moxie Marlinspike’s sslstrip: http://www.thoughtcrime.org/software/sslstrip/ . But once the browser has received the X-Force-TLS header, it will avoid accessing the site over HTTP at all thus preventing that kind of attack. In other words, the browser will now automatically perform the redirect without issuing any insecure HTTP requests to the site. |
|
|