Q24: Transport Security

[00:00:00]
>> Let's talk about the following header, we have to Strict-Transport-Security with max-age and includeSubdomains. The header enforces HTTPS for one year on the domain and its subdomains. When max-age expires, browsers will default to HTTP. The max-age is refreshed every time the browser routes the header or insecure requests to subdomains are allowed.

[00:00:25]
So the right answer is A, the header enforces HTTPS for one year on the domain and subdomains, and the max-age is refreshed every time the browser reads the header. So what we're working with here is something called HSTS. So essentially like if we're making an insecure request or like a request to HTTP website.com, the server will respond with, I mean, based on how the server setup.

[00:00:50]
THe 301 moved permanently because it's like no there's no HTTP, you should be using HTTPS. And after requesting it with HTTPS for the first time, the server can respond with that Strict-Transport-Security. And this essentially enables a security feature in your browser that will prevent your users from making an insecure request ever again to your server.

[00:01:13]
So this animation wasn't super clear, but essentially the 307 internal redirect is not a redirect coming from the server, it's a redirect coming from your browser. So your browser is telling you, hey, I got a Strict-Transport -Security header for this domain a while back still within the max-age.

[00:01:31]
So you shouldn't be using HTTP, you should be using HTTPS. So in this case, your browser redirects you automatically to HTTPS from HTTP. And this can prevent stuff like we just saw with the men in the middle attack if you're transferring sensitive data to a browser or to a client, you wanna protect them from using HTTP instead of HTTPS.

[00:01:56]
So the first one is true, cuz this header enforces HTTPS s for one year on the domain and its subdomains, cuz we say include subdomains. Pretty straightforward it also includes the subdomains there. When max-age expires browsers will default to HTTP, this isn't necessarily true. I mean, what does happen is if it has expired and ,okay, this makes a bit more sense if we explain C first, actually, cuz the max-age is refreshed every time the browser reads the header is also true.

[00:02:23]
So if you're on a page and you're using it every day, this max-age of one year, it will just get refreshed every day. So you're basically infinitely making sure that the user will use HTTPS because it refreshes it every time the browser reads the header. So when message expires browsers will default to HTTP.

[00:02:42]
This is true but that's essentially the same scenario that we saw on the first one, where the server then just has to respond again with that 301 attempt or permanent redirect, and then it'll use HTTPS again, and then the Strict-Transport-Security header will be sent back. Insecure requests to subdomains are allowed.

[00:02:59]
That's not true cuz we added the include subdomains there. So yeah, just a good header to know if you ever see HSTS or that term, just know that it refers to this. It is the enforcement of HTTPS by your browser by the use of a response header from your server.

[00:03:18]
Yeah another niche security thing that, yeah, it's just good to know about, I guess.