Web

HSTS directs the browser to use HTTPS for certain domains (optionally subdomains). This mitigates some MitM attacks by upgrading HTTP connections to HTTPS. HSTS Preloading The native implementation of HSTS communicates the HSTS policy to the browser via an HTTP response header Strict-Transport-Security: max-age=31536000; includeSubDomains. HSTS requires a user to visit a website once before HSTS protection is cached. But what if HTTP is used on the first visit or a user clears their cache frequently? An attacker can still redirect the user to a malicious site by altering the response. ...