Search…
HSTS
HTTP Strict Transport Security, HSTS, is a protocol mechanism that helps to protect HTTPS servers against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking. It allows an HTTPS server to declare that clients should automatically interact with this host name using only HTTPS connections going forward - and explicitly not use clear text protocols with it.

HSTS cache

The HSTS status for a certain server name is set in a response header and has an expire time. The status for every HSTS host name needs to be saved in a file for curl to pick it up and to update the status and expire time.
Invoke curl and tell it which file to use as a hsts cache:
1
curl --hsts hsts.txt https://example.com
Copied!
curl will only update the hsts info if the header is read over a secure transfer, so not when done over a clear text protocol.

Use HSTS to update insecure protocols

If the cache file now contains an entry for the given host name, it will automatically switch over to a secure protocol even if you try to connect to it with an insecure one:
1
curl --hsts hsts.txt http://example.com
Copied!
Last modified 10d ago
Export as PDF
Copy link
Edit on GitHub