Reputation: 151
Does HSTS upgrade all resources to HTTPS irrespective to the domain
I am adding the HTTP Strict Transport Security header to a website.
Does it prevent loading of resources over HTTP that are not in same domain?
Upvotes: 0
Views: 209
Answers (1)
Reputation: 45970
HSTS only applies to the domain it's sent with, and any subdomains if the includeSubDomains attribute is also set.
Any other domains are unaffected.
However one thing to be careful of is if your main domain (www.example.com) uses the same config as the bare domain (example.com), which is quite common, and you issue the HSTS header on both (perhaps without realising it's also on the bare domain) and use the includeSubDomains header. If that's the case then you can easily block access to other domains you did not intend to, which are still on http (e.g. http://blog.example.com or http://internal.example.com) if someone visits the bare domain.
BTW if you were wanting to upgrade all the http requests to https you could use Content Security Policy (CSP) which has an upgrade-insecure-requests option. However browser support of that is not yet universal. You can also use CSP to help you identify mixed content as discussed here.
Upvotes: 1
Related Questions
- Android 8: Cleartext HTTP traffic not permitted
- What is the difference between POST and PUT in HTTP?
- SOAP vs REST (differences)
- Max parallel HTTP connections in a browser?
- How are parameters sent in an HTTP POST request?
- How do we control web page caching, across all browsers?
- Use of PUT vs PATCH methods in REST API real life scenarios
- HTTP POST with URL query parameters -- good idea or not?
- Are HTTP headers case-sensitive?