HTTP Strict Transport Security
An emerging standard called Strict Transport Security is starting to gain some traction among web browsers. Google Chrome supports it and Firefox is working on it (currently supported in the noscript FF extension).
So what is Strict Transport Security?
Strict Transport Security (STS) allows a web server to respond with a HTTP header indicating that it requires a secure HTTPS connection, for a given duration of time. Furthermore if there are any certificate errors on the site, or the sites embedded content with certificate errors the connection fails. This prevents the user from clicking through security exceptions.
PayPal was a big backer of this standard, and are among a small handful of sites currently using it. Here is what PayPal sends in their HTTP response headers:
Setting a Strict Transport Security Header in ColdFusion:
To set this header in ColdFusion you can simply use the
<cfheader name="Strict-Transport-Security" value="max-age=1200">
max-age value is the number of seconds that the policy exists for before it expires in the user agent.
You can also specify that you want to include all sub domains as well using:
<cfheader name="Strict-Transport-Security" value="max-age=1200;includeSubDomains">
- Secure Browsing Mode - June 28, 2006
- How To Scream Unsecured - May 2, 2006
- Secure Forms - January 27, 2006
- How to Resolve Java HTTPS Exceptions - November 21, 2018
- HackMyCF Adds SSL/TLS Scanner - May 27, 2015
- Redirect www and non https in IIS using web.config
- Not authorized to perform: ssm:GetParameters
- What is the difference between ASCII Chr(10) and Chr(13)
- Fixinator and Foundeo Security Bundle
- Running CFML on AWS Lambda with FuseLess Slides
- Updating Java on ColdFusion or Lucee
- ColdFusion returning empty response with server-error: true
- Careful applying CF11u16, CF2016u8, CF2018u2