Free Post HSTS HSTS Preloading HSTS is the great little response header that tells a browser to always use SSL/TLS to communicate with your site. It doesn't matter if the user, or a link they are clicking, specifies HTTP, HSTS will remove the ability for a...
Free Post DHE Perfect Forward Secrecy - An Introduction Perfect Forward Secrecy is a feature of specific key agreement protocols that gives assurances your session keys will not be compromised even if the private key of the server is compromised. By generating a unique session key for every session a user initiates, even...
Free Post cipher suite Getting an A+ rating on the Qualys SSL Test The SSL Test provided by Qualys does an incredibly thorough evaluation of the SSL configuration on your server. It's a great way to get a feel for whether...
Free Post certificate OCSP Stapling; SSL with added speed and privacy Using SSL on your site comes with certain overheads and one of those overheads is checking the revocation status of your SSL certificate. Whilst this particular overhead resides on the client side, rather than the server side, it still affects the performance of your...
Free Post CloudFlare My TLS conundrum and why I decided to leave CloudFlare CloudFlare is an incredibly advanced content delivery network (CDN) that offers boosts to the security and performance of your site. They act as a reverse proxy and shield your web server from exposure to the wider Internet. You get huge bandwidth savings and a...
Free Post cookies Web Security - The hidden dangers of hunting for a new house When looking for a new house to buy in the UK, the chances are at some point you will end up on the website of RightMove or Zoopla. With RightMove claiming they are "the UK's number one property website" and...
Free Post HSTS Issuing HSTS policy in PHP HSTS is a great way of protecting visitors to your website by ensuring their browser only uses a secure connection to communicate. If you use shared hosting and don't have access to change the header configuration, or you simply want to test...
Free Post HSTS Manually enforcing HSTS in Google Chrome HSTS Policies are usually distributed by a web server as a HTTP Response Header. Whilst some sites enforce HTTPS by issuing a redirect, many do not implement HSTS and leave the user vulnerable to a MiTM attack. HSTS Policies can be added to Google...
Free Post encryption HSTS - The missing link in Transport Layer Security HTTP Strict Transport Security (HSTS [https://scotthel.me/d8j3]) is a policy mechanism that allows a web server to enforce the use of TLS [https://scotthel.me/s8d7]in a compliant User Agent (UA), such as a web browser. HSTS allows for a more...
Free Post code injection Code Injection - TLS (SSL) is not all about privacy, it's about integrity too TLS isn't just about ensuring your data remains private whilst transiting the Internet, it's also about ensuring the integrity of the data. In this post I will demonstrate a HTML injection attack and show you what a man in the...
Follow