AnsweredAssumed Answered

Why shouldn't HSTS header be sent on plaintext HTTP redirect to HTTPS?

Question asked by Nick Pearson on Jul 5, 2016
Latest reply on Jul 8, 2016 by Nick Pearson


According to The Importance of a Proper HTTP Strict Transport Security Implementation on Your Web Server on the Qualys blog (#4 under HSTS Best Practices),

The application should never send an HSTS header over a plaintext HTTP header, as doing so makes the connection vulnerable to SSL stripping attacks.

Assuming a plaintext HTTP response can be modified by a MITM, how does the inclusion of the HSTS header from the server open one up to SSL stripping?

Outcomes