|
|
@@ -114,12 +114,12 @@ X-Content-Type-Options: nosniff
|
|
|
Refer to the relevant sections to see how to customize the defaults for both xref:servlet/exploits/headers.adoc#servlet-headers-hsts[servlet] and xref:reactive/exploits/headers.adoc#webflux-headers-hsts[webflux] based applications.
|
|
|
====
|
|
|
|
|
|
-When you type in your bank's website, do you enter `mybank.example.com` or do you enter `https://mybank.example.com`?
|
|
|
+When you type in your bank's website, do you enter `mybank.example.com` or do you enter `\https://mybank.example.com`?
|
|
|
If you omit the `https` protocol, you are potentially vulnerable to https://en.wikipedia.org/wiki/Man-in-the-middle_attack[Man-in-the-Middle attacks].
|
|
|
-Even if the website performs a redirect to https://mybank.example.com, a malicious user could intercept the initial HTTP request and manipulate the response (for example, redirect to https://mibank.example.com and steal their credentials).
|
|
|
+Even if the website performs a redirect to `\https://mybank.example.com`, a malicious user could intercept the initial HTTP request and manipulate the response (for example, redirect to `\https://mibank.example.com` and steal their credentials).
|
|
|
|
|
|
Many users omit the `https` protocol, and this is why https://tools.ietf.org/html/rfc6797[HTTP Strict Transport Security (HSTS)] was created.
|
|
|
-Once `mybank.example.com` is added as a https://tools.ietf.org/html/rfc6797#section-5.1[HSTS host], a browser can know ahead of time that any request to mybank.example.com should be interpreted as https://mybank.example.com.
|
|
|
+Once `mybank.example.com` is added as a https://tools.ietf.org/html/rfc6797#section-5.1[HSTS host], a browser can know ahead of time that any request to mybank.example.com should be interpreted as `\https://mybank.example.com`.
|
|
|
This greatly reduces the possibility of a Man-in-the-Middle attack occurring.
|
|
|
|
|
|
[NOTE]
|
Marcus Hert Da Coregio