home.social

#hsts — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #hsts, aggregated by home.social.

  1. Enabled HSTS with includeSubDomains and preload.

    The cost is real and one-way: every current and future subdomain must serve HTTPS or become unreachable. Removal from the preload list is in browser-release hands, not yours.

    Accepted because the site is HTTPS-only by intent and Caddy provisions certs for every subdomain automatically via Let's Encrypt.

    #HSTS #WebSecurity #Caddy #SelfHosting

  2. Enabled HSTS with includeSubDomains and preload.

    The cost is real and one-way: every current and future subdomain must serve HTTPS or become unreachable. Removal from the preload list is in browser-release hands, not yours.

    Accepted because the site is HTTPS-only by intent and Caddy provisions certs for every subdomain automatically via Let's Encrypt.

    #HSTS #WebSecurity #Caddy #SelfHosting

  3. Enabled HSTS with includeSubDomains and preload.

    The cost is real and one-way: every current and future subdomain must serve HTTPS or become unreachable. Removal from the preload list is in browser-release hands, not yours.

    Accepted because the site is HTTPS-only by intent and Caddy provisions certs for every subdomain automatically via Let's Encrypt.

    #HSTS #WebSecurity #Caddy #SelfHosting

  4. Enabled HSTS with includeSubDomains and preload.

    The cost is real and one-way: every current and future subdomain must serve HTTPS or become unreachable. Removal from the preload list is in browser-release hands, not yours.

    Accepted because the site is HTTPS-only by intent and Caddy provisions certs for every subdomain automatically via Let's Encrypt.

    #HSTS #WebSecurity #Caddy #SelfHosting

  5. 💡Denk mee en reageer op de consultatie van het aangepaste “Besluit beveiligde verbinding met overheidswebsites en -webapplicaties”: internetconsultatie.nl/verzame

    📜In het herziene besluit op basis van de Wet digitale overheid wordt verwezen naar nieuwe versies van de TLS- en Webapplicatie-richtlijnen van @ncsc_nl. Reageer voor 6 jan, 2026.

    Meer info over het huidige besluit: digitaleoverheid.nl/overzicht-

    #beveiliging #websites #openstandaarden #HTTPS #HSTS

    @minbzk @nctvnl @DigitaleOverheid

  6. @gelatin @wyatt Maybe I'm missing something. If an attacker on a coffee shop WLAN sniffs your session cookie for a forum, they can proceed to ruin your life by posting illegal material under your name. There used to be a browser extension called "Firesheep" that would snoop others' cookies for Facebook until Facebook went all HTTPS all the time.

    #https #hsts #firesheep #facebook #PacketSniffer

  7. @gelatin @wyatt Maybe I'm missing something. If an attacker on a coffee shop WLAN sniffs your session cookie for a forum, they can proceed to ruin your life by posting illegal material under your name. There used to be a browser extension called "Firesheep" that would snoop others' cookies for Facebook until Facebook went all HTTPS all the time.

    #https #hsts #firesheep #facebook #PacketSniffer

  8. @gelatin @wyatt Maybe I'm missing something. If an attacker on a coffee shop WLAN sniffs your session cookie for a forum, they can proceed to ruin your life by posting illegal material under your name. There used to be a browser extension called "Firesheep" that would snoop others' cookies for Facebook until Facebook went all HTTPS all the time.

    #https #hsts #firesheep #facebook #PacketSniffer

  9. @gelatin @wyatt Maybe I'm missing something. If an attacker on a coffee shop WLAN sniffs your session cookie for a forum, they can proceed to ruin your life by posting illegal material under your name. There used to be a browser extension called "Firesheep" that would snoop others' cookies for Facebook until Facebook went all HTTPS all the time.

    #https #hsts #firesheep #facebook #PacketSniffer

  10. @gelatin @wyatt Maybe I'm missing something. If an attacker on a coffee shop WLAN sniffs your session cookie for a forum, they can proceed to ruin your life by posting illegal material under your name. There used to be a browser extension called "Firesheep" that would snoop others' cookies for Facebook until Facebook went all HTTPS all the time.

    #https #hsts #firesheep #facebook #PacketSniffer

  11. #help #hacked #sos #persistentlyHacked #disablementCampaign #conspiracyToOppress #illegalSurveillance #middleManAttack #peerTube #HSTS

    MIDDLE MAN SNIFFING, and can't load instances.joinpeertube.org and sepiasearch.org without. KEEP getting WARNING "Your connection is not private" ERR_CERT_AUTHORITY_INVALID

    You cannot visit right now becasue the website uses HSTS. Network errors and attacks are usually temporary, so this page will probably work later.

  12. tesla.com, spacex.com, and boringcompany.com are all not on the HSTS preload list.

    it would be a total shame if someone in a privileged network position used this to start inserting content letting people know that the CEO of these companies is a fucking Nazi.

    #hstspreloadlist #hsts #tesla #TeslaProtests #ElonMusk #doge

  13. #TIL you can bypass #HSTS and temporarily accept self-signed or expired certificates in #Firefox if you open the website in an incognito window. A normal Firefox context won't allow that. This is really helpful for development.

  14. Aha, takže to je kvůli #HSTS a includeSubDomains.
    rfc-editor.org/rfc/rfc6797#sec

    Je fajn, když člověk u nějaké IT magie zjistí, proč se to chová, jak se to chová.

  15. step 0: Have a domain with a "real" cert and a subdomain with a self-signed cert

    step 1: accept self-signed cert in firefox on subdomain
    step 2: activate HSTS on main domain
    step 3: wonder why self-signed cert no longer accepted on subdomain :S

    #HTTPS #HSTS

  16. Can anyone offer a guess as to why I'm getting an HSTS error only on one computer?
    I've run all Windows updates and a full virus/malware scan, and still can't load hippyjo.com or idwerkz.com on my desktop machine, in any browser.
    They load fine on my laptop and phone though.
    I've cleared cache, DNS, for windows and Chrome, and Firefox.
    SSL certificate is valid, though I am not certain my hosting service has configured everything else properly. But they seem to load fine on every device other than my desktop.
    I've exhausted my brain - can't figure out why the problem is only on this machine.
    Please and thank you in advance for any ideas of what might be going on.
    #html #hsts #troubleshoot #weirdError

  17. Made my personal website get the maximum amount of points of Mozilla's HTTP Observatory. Now, my static site delivers content as securely as it possibly can. I highly recommend anyone with a personal website to tweak it along with their webserver so that it gets at least a hundred points on HTTP Observatory.
    developer.mozilla.org/en-US/ob
    The least you can do is add your site to the HSTS Preload list (hstspreload.org/).

    #blog #personalwebsite #mozilla #mdn #http #caddyserver #hsts #webdev

  18. TIL secure.py 🔒

    "Lightweight modern Python library to add security headers (CSP, HSTS, etc.) to Django, Flask, FastAPI, and more. Secure defaults or fully customizable."

    github.com/TypeError/secure

  19. It’s 2024 and certificate renewal is still an issue. (Love that they’ve enabled HSTS though.)

    #HTTPS #TLS #HSTS #NIST

  20. Here's a good explanation on what HSTS is and why it's important. maxivanov.io/http-strict-trans (there's a lot of bad explanations on the net)

    I noticed the coolify.io website doesn't have these HSTS headers

    github.com/coollabsio/coolify/

  21. Apparently Mozilla fixed the unreliability of #HSTS 5 months ago. My bug report was resolved as a result. That's great news!

    As far as I know, the HSTS table can now hold up to 2048 entries. Only 0.1% of Firefox users use more than that.

    Also, the implementation of nsIDataStorage seems to allow additional temporary data, so even more values could be stored. However, I didn't really understand how this works.

    infosec.exchange/@kpwn/1100104

    #InfoSec #CyberSecurity #Pentesting #AppSec #Hacking

  22. secure your #wordpress site with #http #headers content-security policy #csp cross origin embedder policy #coep cross origin opener policy #coop cross origin resource policy #corp referrer policy http strict transport security #hsts permission policy and others: jornfranke.codeberg.page/techn

  23. secure your #wordpress site with #http #headers content-security policy #csp cross origin embedder policy #coep cross origin opener policy #coop cross origin resource policy #corp referrer policy http strict transport security #hsts permission policy and others: jornfranke.codeberg.page/techn

  24. secure your #wordpress site with #http #headers content-security policy #csp cross origin embedder policy #coep cross origin opener policy #coop cross origin resource policy #corp referrer policy http strict transport security #hsts permission policy and others: jornfranke.codeberg.page/techn

  25. secure your #wordpress site with #http #headers content-security policy #csp cross origin embedder policy #coep cross origin opener policy #coop cross origin resource policy #corp referrer policy http strict transport security #hsts permission policy and others: jornfranke.codeberg.page/techn

  26. secure your #wordpress site with #http #headers content-security policy #csp cross origin embedder policy #coep cross origin opener policy #coop cross origin resource policy #corp referrer policy http strict transport security #hsts permission policy and others: jornfranke.codeberg.page/techn

  27. The #HSTS issue has happened again.
    Last night all was good.
    Today in #firefox (and the #dev), #edge, #brave and #safari - NONE of them will connect to #facebook or #reddit.

    Nothing here has updated.

    I'll have to wait to waste my time :)

  28. Trying to read about Authentik, but the website certificate on goauthentik.io has the wrong host, and HSTS means you can't access it with an invalid certificate.

    Try to report it to the team and can only find a "join our Discord" link, except its not an invite link it's a link to the website which (if it was working) might redirect me there.

    I guess I don't get to learn about Authentik today.
    #authentik #ssl #netlify #hsts

  29. TIL that #Firefox (and supposedly all major browsers) forces #HSTS with any .dev domain so you can't really use .dev domains for testing with self-signed certificates. Even if you add an explicit exception it won't let you connect. #infosec

  30. @SectigoHQ 2024/01 internet.nl/site/www.secti…

    Still no #dnssec #hsts
    Your web server does not prefer 'Good' over 'Sufficient' over 'Phase out' ciphers ('II').

  31. The #HSTS pre-load list is about 14MB and contains roughly 130k entries.

    source.chromium.org/chromium/c

    Of which…
    🏢 4,507 are .gov domains
    🇬🇧 2,676 .uk
    🇫🇷 1,725 .fr
    ℹ 713 .info
    🗺 418 IDNs (xn--)
    💑 187 have "porn" in the domain
    🏳️‍🌈 25 .gay

    It contains plenty of rude words, not many obvious slurs, and I wonder what surprises are hidden in there?