HTTP Strict Transport Security

"HSTS, standing for HTTP Strict Transport Security, is a relatively new standard that aims to bolster the strength of HTTPS connections. Hopefully it's about to catch on. Google Chrome has supported HSTS for a while now, and Firefox support is imminent.

The stated benefits of HSTS include:

* Defenses against sslstrip-like attacks. The initial navigation to is automatically upgraded to HTTPS.

* Zero tolerance for certification problems. The user is not permitted to "click through" anything such as a self-signed cert.



"The characteristics of the HTTP Strict Transport Security policy, as  applied by a UA in its interactions with a web site wielding HSTS Policy, known as a HSTS Server, is summarized as follows:

1. All insecure ("http") connections to a HSTS Server are redirected  by the HSTS Server to be secure connections ("https").

2. The UA terminates, without user recourse, any secure transport  connection attempts upon any and all secure transport errors or warnings, including those caused by a site presenting self-signed certificates.

3. UAs transform insecure URI references to a HSTS Server into secure URI references before dereferencing them."

Draft do IETF: