HSTS

Tags: networking

On the very first request to a server the browser stores some information about it including whether it only wants to talk over HTTPS. If a later HTTP connection is established the browser rejects it.

[see page 58, Concerns] with this approach are:

The very first request is still vulnerable, if you've always been in a man-in-the-middle attack then it won't work.
HSTS info stored in your browser can reveal the sites you've visited even in private mode 😨.

Links to this note

HTTPS