GENWiki

Premier IT Outsourcing and Support Services within the UK

User Tools

Site Tools

Problem, Formatting or Query -  Send Feedback

Was this page helpful?-10+1


rfc:rfc6797

Internet Engineering Task Force (IETF) J. Hodges Request for Comments: 6797 PayPal Category: Standards Track C. Jackson ISSN: 2070-1721 Carnegie Mellon University

                                                              A. Barth
                                                          Google, Inc.
                                                         November 2012
               HTTP Strict Transport Security (HSTS)

Abstract

 This specification defines a mechanism enabling web sites to declare
 themselves accessible only via secure connections and/or for users to
 be able to direct their user agent(s) to interact with given sites
 only over secure connections.  This overall policy is referred to as
 HTTP Strict Transport Security (HSTS).  The policy is declared by web
 sites via the Strict-Transport-Security HTTP response header field
 and/or by other means, such as user agent configuration, for example.

Status of This Memo

 This is an Internet Standards Track document.
 This document is a product of the Internet Engineering Task Force
 (IETF).  It represents the consensus of the IETF community.  It has
 received public review and has been approved for publication by the
 Internet Engineering Steering Group (IESG).  Further information on
 Internet Standards is available in Section 2 of RFC 5741.
 Information about the current status of this document, any errata,
 and how to provide feedback on it may be obtained at
 http://www.rfc-editor.org/info/rfc6797.

Hodges, et al. Standards Track [Page 1] RFC 6797 HTTP Strict Transport Security (HSTS) November 2012

Copyright Notice

 Copyright (c) 2012 IETF Trust and the persons identified as the
 document authors.  All rights reserved.
 This document is subject to BCP 78 and the IETF Trust's Legal
 Provisions Relating to IETF Documents
 (http://trustee.ietf.org/license-info) in effect on the date of
 publication of this document.  Please review these documents
 carefully, as they describe your rights and restrictions with respect
 to this document.  Code Components extracted from this document must
 include Simplified BSD License text as described in Section 4.e of
 the Trust Legal Provisions and are provided without warranty as
 described in the Simplified BSD License.

Table of Contents

 1. Introduction ....................................................4
    1.1. Organization of This Specification .........................6
    1.2. Document Conventions .......................................6
 2. Overview ........................................................6
    2.1. Use Cases ..................................................6
    2.2. HTTP Strict Transport Security Policy Effects ..............6
    2.3. Threat Model ...............................................6
         2.3.1. Threats Addressed ...................................7
                2.3.1.1. Passive Network Attackers ..................7
                2.3.1.2. Active Network Attackers ...................7
                2.3.1.3. Web Site Development and Deployment Bugs ...8
         2.3.2. Threats Not Addressed ...............................8
                2.3.2.1. Phishing ...................................8
                2.3.2.2. Malware and Browser Vulnerabilities ........8
    2.4. Requirements ...............................................9
         2.4.1. Overall Requirement .................................9
                2.4.1.1. Detailed Core Requirements .................9
                2.4.1.2. Detailed Ancillary Requirements ...........10
 3. Conformance Criteria ...........................................10
 4. Terminology ....................................................11
 5. HSTS Mechanism Overview ........................................13
    5.1. HSTS Host Declaration .....................................13
    5.2. HSTS Policy ...............................................13
    5.3. HSTS Policy Storage and Maintenance by User Agents ........14
    5.4. User Agent HSTS Policy Enforcement ........................14
 6. Syntax .........................................................14
    6.1. Strict-Transport-Security HTTP Response Header Field ......15
         6.1.1. The max-age Directive ..............................16
         6.1.2. The includeSubDomains Directive ....................16
    6.2. Examples ..................................................16

Hodges, et al. Standards Track [Page 2] RFC 6797 HTTP Strict Transport Security (HSTS) November 2012

 7. Server Processing Model ........................................17
    7.1. HTTP-over-Secure-Transport Request Type ...................17
    7.2. HTTP Request Type .........................................18
 8. User Agent Processing Model ....................................18
    8.1. Strict-Transport-Security Response Header Field
         Processing ................................................19
         8.1.1. Noting an HSTS Host - Storage Model ................20
    8.2. Known HSTS Host Domain Name Matching ......................20
    8.3. URI Loading and Port Mapping ..............................21
    8.4. Errors in Secure Transport Establishment ..................22
    8.5. HTTP-Equiv <Meta> Element Attribute .......................22
    8.6. Missing Strict-Transport-Security Response Header Field ...23
 9. Constructing an Effective Request URI ..........................23
    9.1. ERU Fundamental Definitions ...............................23
    9.2. Determining the Effective Request URI .....................24
         9.2.1. Effective Request URI Examples .....................24
 10. Domain Name IDNA-Canonicalization .............................25
 11. Server Implementation and Deployment Advice ...................26
    11.1. Non-Conformant User Agent Considerations .................26
    11.2. HSTS Policy Expiration Time Considerations ...............26
    11.3. Using HSTS in Conjunction with Self-Signed Public-Key
          Certificates .............................................27
    11.4. Implications of includeSubDomains ........................28
          11.4.1. Considerations for Offering Unsecured HTTP
                  Services at Alternate Ports or Subdomains of an
                  HSTS Host ........................................28
          11.4.2. Considerations for Offering Web Applications at
                  Subdomains of an HSTS Host .......................29
 12. User Agent Implementation Advice ..............................30
    12.1. No User Recourse .........................................30
    12.2. User-Declared HSTS Policy ................................30
    12.3. HSTS Pre-Loaded List .....................................31
    12.4. Disallow Mixed Security Context Loads ....................31
    12.5. HSTS Policy Deletion .....................................31
 13. Internationalized Domain Names for Applications (IDNA):
     Dependency and Migration ......................................32

Hodges, et al. Standards Track [Page 3] RFC 6797 HTTP Strict Transport Security (HSTS) November 2012

 14. Security Considerations .......................................32
    14.1. Underlying Secure Transport Considerations ...............32
    14.2. Non-Conformant User Agent Implications ...................33
    14.3. Ramifications of HSTS Policy Establishment Only over
          Error-Free Secure Transport ..............................33
    14.4. The Need for includeSubDomains ...........................34
    14.5. Denial of Service ........................................35
    14.6. Bootstrap MITM Vulnerability .............................36
    14.7. Network Time Attacks .....................................37
    14.8. Bogus Root CA Certificate Phish plus DNS Cache
          Poisoning Attack .........................................37
    14.9. Creative Manipulation of HSTS Policy Store ...............37
    14.10. Internationalized Domain Names ..........................38
 15. IANA Considerations ...........................................39
 16. References ....................................................39
    16.1. Normative References .....................................39
    16.2. Informative References ...................................40
 Appendix A. Design Decision Notes .................................44
 Appendix B. Differences between HSTS Policy and Same-Origin
             Policy ................................................45
 Appendix C. Acknowledgments .......................................46

1. Introduction

 HTTP [RFC2616] may be used over various transports, typically the
 Transmission Control Protocol (TCP).  However, TCP does not provide
 channel integrity protection, confidentiality, or secure host
 identification.  Thus, the Secure Sockets Layer (SSL) protocol
 [RFC6101] and its successor, Transport Layer Security (TLS) [RFC5246]
 were developed in order to provide channel-oriented security and are
 typically layered between application protocols and TCP.  [RFC2818]
 specifies how HTTP is layered onto TLS and defines the Uniform
 Resource Identifier (URI) scheme of "https" (in practice, however,
 HTTP user agents (UAs) typically use either TLS or SSL3, depending
 upon a combination of negotiation with the server and user
 preferences).
 UAs employ various local security policies with respect to the
 characteristics of their interactions with web resources, depending
 on (in part) whether they are communicating with a given web
 resource's host using HTTP or HTTP-over-Secure-Transport.  For
 example, cookies ([RFC6265]) may be flagged as Secure.  UAs are to
 send such Secure cookies to their addressed host only over a secure
 transport.  This is in contrast to non-Secure cookies, which are
 returned to the host regardless of transport (although subject to
 other rules).

Hodges, et al. Standards Track [Page 4] RFC 6797 HTTP Strict Transport Security (HSTS) November 2012

 UAs typically announce to their users any issues with secure
 connection establishment, such as being unable to validate a TLS
 server certificate trust chain, or if a TLS server certificate is
 expired, or if a TLS host's domain name appears incorrectly in the
 TLS server certificate (see Section 3.1 of [RFC2818]).  Often, UAs
 enable users to elect to continue to interact with a web resource's
 host in the face of such issues.  This behavior is sometimes referred
 to as "click(ing) through" security [GoodDhamijaEtAl05]
 [SunshineEgelmanEtAl09]; thus, it can be described as "click-through
 insecurity".
 A key vulnerability enabled by click-through insecurity is the
 leaking of any cookies the web resource may be using to manage a
 user's session.  The threat here is that an attacker could obtain the
 cookies and then interact with the legitimate web resource while
 impersonating the user.
 Jackson and Barth proposed an approach, in [ForceHTTPS], to enable
 web resources to declare that any interactions by UAs with the web
 resource must be conducted securely and that any issues with
 establishing a secure transport session are to be treated as fatal
 and without direct user recourse.  The aim is to prevent click-
 through insecurity and address other potential threats.
 This specification embodies and refines the approach proposed in
 [ForceHTTPS].  For example, rather than using a cookie to convey
 policy from a web resource's host to a UA, it defines an HTTP
 response header field for this purpose.  Additionally, a web
 resource's host may declare its policy to apply to the entire domain
 name subtree rooted at its host name.  This enables HTTP Strict
 Transport Security (HSTS) to protect so-called "domain cookies",
 which are applied to all subdomains of a given web resource's host
 name.
 This specification also incorporates notions from [JacksonBarth2008]
 in that policy is applied on an "entire-host" basis: it applies to
 HTTP (only) over any TCP port of the issuing host.
 Note that the policy defined by this specification is distinctly
 different than the "same-origin policy" defined in "The Web Origin
 Concept" [RFC6454].  These differences are summarized in Appendix B.

Hodges, et al. Standards Track [Page 5] RFC 6797 HTTP Strict Transport Security (HSTS) November 2012

1.1. Organization of This Specification

 This specification begins with an overview of the use cases, policy
 effects, threat models, and requirements for HSTS (in Section 2).
 Then, Section 3 defines conformance requirements.  Section 4 defines
 terminology relevant to this document.  The HSTS mechanism itself is
 formally specified in Sections 5 through 15.

1.2. Document Conventions

 NOTE:  This is a note to the reader.  These are points that should be
        expressly kept in mind and/or considered.

2. Overview

 This section discusses the use cases, summarizes the HSTS Policy, and
 continues with a discussion of the threat model, non-addressed
 threats, and derived requirements.

2.1. Use Cases

 The high-level use case is a combination of:
 o  Web browser user wishes to interact with various web sites (some
    arbitrary, some known) in a secure fashion.
 o  Web site deployer wishes to offer their site in an explicitly
    secure fashion for their own, as well as their users', benefit.

2.2. HTTP Strict Transport Security Policy Effects

 The effects of the HSTS Policy, as applied by a conformant UA in
 interactions with a web resource host wielding such policy (known as
 an HSTS Host), are summarized as follows:
 1.  UAs transform insecure URI references to an HSTS Host into secure
     URI references before dereferencing them.
 2.  The UA terminates any secure transport connection attempts upon
     any and all secure transport errors or warnings.

2.3. Threat Model

 HSTS is concerned with three threat classes: passive network
 attackers, active network attackers, and imperfect web developers.
 However, it is explicitly not a remedy for two other classes of
 threats: phishing and malware.  Threats that are addressed, as well
 as threats that are not addressed, are briefly discussed below.

Hodges, et al. Standards Track [Page 6] RFC 6797 HTTP Strict Transport Security (HSTS) November 2012

 Readers may wish to refer to Section 2 of [ForceHTTPS] for details as
 well as relevant citations.

2.3.1. Threats Addressed

2.3.1.1. Passive Network Attackers

 When a user browses the web on a local wireless network (e.g., an
 802.11-based wireless local area network) a nearby attacker can
 possibly eavesdrop on the user's unencrypted Internet Protocol-based
 connections, such as HTTP, regardless of whether or not the local
 wireless network itself is secured [BeckTews09].  Freely available
 wireless sniffing toolkits (e.g., [Aircrack-ng]) enable such passive
 eavesdropping attacks, even if the local wireless network is
 operating in a secure fashion.  A passive network attacker using such
 tools can steal session identifiers/cookies and hijack the user's web
 session(s) by obtaining cookies containing authentication credentials
 [ForceHTTPS].  For example, there exist widely available tools, such
 as Firesheep (a web browser extension) [Firesheep], that enable their
 wielder to obtain other local users' session cookies for various web
 applications.
 To mitigate such threats, some web sites support, but usually do not
 force, access using end-to-end secure transport -- e.g., signaled
 through URIs constructed with the "https" scheme [RFC2818].  This can
 lead users to believe that accessing such services using secure
 transport protects them from passive network attackers.
 Unfortunately, this is often not the case in real-world deployments,
 as session identifiers are often stored in non-Secure cookies to
 permit interoperability with versions of the service offered over
 insecure transport ("Secure cookies" are those cookies containing the
 "Secure" attribute [RFC6265]).  For example, if the session
 identifier for a web site (an email service, say) is stored in a
 non-Secure cookie, it permits an attacker to hijack the user's
 session if the user's UA makes a single insecure HTTP request to the
 site.

2.3.1.2. Active Network Attackers

 A determined attacker can mount an active attack, either by
 impersonating a user's DNS server or, in a wireless network, by
 spoofing network frames or offering a similarly named evil twin
 access point.  If the user is behind a wireless home router, an
 attacker can attempt to reconfigure the router using default
 passwords and other vulnerabilities.  Some sites, such as banks, rely
 on end-to-end secure transport to protect themselves and their users
 from such active attackers.  Unfortunately, browsers allow their
 users to easily opt out of these protections in order to be usable

Hodges, et al. Standards Track [Page 7] RFC 6797 HTTP Strict Transport Security (HSTS) November 2012

 for sites that incorrectly deploy secure transport, for example by
 generating and self-signing their own certificates (without also
 distributing their certification authority (CA) certificate to their
 users' browsers).

2.3.1.3. Web Site Development and Deployment Bugs

 The security of an otherwise uniformly secure site (i.e., all of its
 content is materialized via "https" URIs) can be compromised
 completely by an active attacker exploiting a simple mistake, such as
 the loading of a cascading style sheet or a SWF (Shockwave Flash)
 movie over an insecure connection (both cascading style sheets and
 SWF movies can script the embedding page, to the surprise of many web
 developers, plus some browsers do not issue so-called "mixed content
 warnings" when SWF files are embedded via insecure connections).
 Even if the site's developers carefully scrutinize their login page
 for "mixed content", a single insecure embedding anywhere on the
 overall site compromises the security of their login page because an
 attacker can script (i.e., control) the login page by injecting code
 (e.g., a script) into another, insecurely loaded, site page.
 NOTE:  "Mixed content" as used above (see also Section 5.3 in
        [W3C.REC-wsc-ui-20100812]) refers to the notion termed "mixed
        security context" in this specification and should not be
        confused with the same "mixed content" term used in the
        context of markup languages such as XML and HTML.

2.3.2. Threats Not Addressed

2.3.2.1. Phishing

 Phishing attacks occur when an attacker solicits authentication
 credentials from the user by hosting a fake site located on a
 different domain than the real site, perhaps driving traffic to the
 fake site by sending a link in an email message.  Phishing attacks
 can be very effective because users find it difficult to distinguish
 the real site from a fake site.  HSTS is not a defense against
 phishing per se; rather, it complements many existing phishing
 defenses by instructing the browser to protect session integrity and
 long-lived authentication tokens [ForceHTTPS].

2.3.2.2. Malware and Browser Vulnerabilities

 Because HSTS is implemented as a browser security mechanism, it
 relies on the trustworthiness of the user's system to protect the
 session.  Malicious code executing on the user's system can
 compromise a browser session, regardless of whether HSTS is used.

Hodges, et al. Standards Track [Page 8] RFC 6797 HTTP Strict Transport Security (HSTS) November 2012

2.4. Requirements

 This section identifies and enumerates various requirements derived
 from the use cases and the threats discussed above and also lists the
 detailed core requirements that HTTP Strict Transport Security
 addresses, as well as ancillary requirements that are not directly
 addressed.

2.4.1. Overall Requirement

 o  Minimize, for web browser users and web site deployers, the risks
    that are derived from passive and active network attackers, web
    site development and deployment bugs, and insecure user actions.

2.4.1.1. Detailed Core Requirements

 These core requirements are derived from the overall requirement and
 are addressed by this specification.
 1.  Web sites need to be able to declare to UAs that they should be
     accessed using a strict security policy.
 2.  Web sites need to be able to instruct UAs that contact them
     insecurely to do so securely.
 3.  UAs need to retain persistent data about web sites that signal
     strict security policy enablement, for time spans declared by the
     web sites.  Additionally, UAs need to cache the "freshest" strict
     security policy information, in order to allow web sites to
     update the information.
 4.  UAs need to rewrite all insecure UA "http" URI loads to use the
     "https" secure scheme for those web sites for which secure policy
     is enabled.
 5.  Web site administrators need to be able to signal strict security
     policy application to subdomains of higher-level domains for
     which strict security policy is enabled, and UAs need to enforce
     such policy.
     For example, both example.com and foo.example.com could set
     policy for bar.foo.example.com.

Hodges, et al. Standards Track [Page 9] RFC 6797 HTTP Strict Transport Security (HSTS) November 2012

 6.  UAs need to disallow security policy application to peer domains,
     and/or higher-level domains, by domains for which strict security
     policy is enabled.
     For example, neither bar.foo.example.com nor foo.example.com can
     set policy for example.com, nor can bar.foo.example.com set
     policy for foo.example.com.  Also, foo.example.com cannot set
     policy for sibling.example.com.
 7.  UAs need to prevent users from "clicking through" security
     warnings.  Halting connection attempts in the face of secure
     transport exceptions is acceptable.  See also Section 12.1 ("No
     User Recourse").
 NOTE:  A means for uniformly securely meeting the first core
        requirement above is not specifically addressed by this
        specification (see Section 14.6 ("Bootstrap MITM
        Vulnerability")).  It may be addressed by a future revision of
        this specification or some other specification.  Note also
        that there are means by which UA implementations may more
        fully meet the first core requirement; see Section 12 ("User
        Agent Implementation Advice").

2.4.1.2. Detailed Ancillary Requirements

 These ancillary requirements are also derived from the overall
 requirement.  They are not normatively addressed in this
 specification but could be met by UA implementations at their
 implementor's discretion, although meeting these requirements may be
 complex.
 1.  Disallow "mixed security context" loads (see Section 2.3.1.3).
 2.  Facilitate user declaration of web sites for which strict
     security policy is enabled, regardless of whether the sites
     signal HSTS Policy.

3. Conformance Criteria

 This specification is written for hosts and user agents.
 A conformant host is one that implements all the requirements listed
 in this specification that are applicable to hosts.
 A conformant user agent is one that implements all the requirements
 listed in this specification that are applicable to user agents.

Hodges, et al. Standards Track [Page 10] RFC 6797 HTTP Strict Transport Security (HSTS) November 2012

 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
 document are to be interpreted as described in [RFC2119].

4. Terminology

 Terminology is defined in this section.
 ASCII case-insensitive comparison:
    means comparing two strings exactly, codepoint for codepoint,
    except that the characters in the range U+0041 ..  U+005A (i.e.,
    LATIN CAPITAL LETTER A to LATIN CAPITAL LETTER Z) and the
    corresponding characters in the range U+0061 ..  U+007A (i.e.,
    LATIN SMALL LETTER A to LATIN SMALL LETTER Z) are considered to
    also match.  See [Unicode] for details.
 codepoint:
    is a colloquial contraction of Code Point, which is any value in
    the Unicode codespace; that is, the range of integers from 0 to
    10FFFF(hex) [Unicode].
 domain name:
    is also referred to as "DNS name" and is defined in [RFC1035] to
    be represented outside of the DNS protocol itself (and
    implementations thereof) as a series of labels separated by dots,
    e.g., "example.com" or "yet.another.example.org".  In the context
    of this specification, domain names appear in that portion of a
    URI satisfying the reg-name production in "Appendix A.  Collected
    ABNF for URI" in [RFC3986], and the host component from the Host
    HTTP header field production in Section 14.23 of [RFC2616].
    NOTE:  The domain names appearing in actual URI instances and
           matching the aforementioned production components may or
           may not be a fully qualified domain name.
 domain name label:
    is that portion of a domain name appearing "between the dots",
    i.e., consider "foo.example.com": "foo", "example", and "com" are
    all domain name labels.

Hodges, et al. Standards Track [Page 11] RFC 6797 HTTP Strict Transport Security (HSTS) November 2012

 Effective Request URI:
    is a URI, identifying the target resource, that can be inferred by
    an HTTP host for any given HTTP request it receives.  Such
    inference is necessary because HTTP requests often do not contain
    a complete "absolute" URI identifying the target resource.  See
    Section 9 ("Constructing an Effective Request URI").
 HTTP Strict Transport Security:
    is the overall name for the combined UA- and server-side security
    policy defined by this specification.
 HTTP Strict Transport Security Host:
    is a conformant host implementing the HTTP server aspects of the
    HSTS Policy.  This means that an HSTS Host returns the
    "Strict-Transport-Security" HTTP response header field in its HTTP
    response messages sent over secure transport.
 HTTP Strict Transport Security Policy:
    is the name of the combined overall UA- and server-side facets of
    the behavior defined in this specification.
 HSTS:
    See HTTP Strict Transport Security.
 HSTS Host:
    See HTTP Strict Transport Security Host.
 HSTS Policy:
    See HTTP Strict Transport Security Policy.
 Known HSTS Host:
    is an HSTS Host for which the UA has an HSTS Policy in effect;
    i.e., the UA has noted this host as a Known HSTS Host.  See
    Section 8.1.1 ("Noting an HSTS Host - Storage Model") for
    particulars.
 Local policy:
    comprises policy rules that deployers specify and that are often
    manifested as configuration settings.

Hodges, et al. Standards Track [Page 12] RFC 6797 HTTP Strict Transport Security (HSTS) November 2012

 MITM:
    is an acronym for "man in the middle".  See "man-in-the-middle
    attack" in [RFC4949].
 Request URI:
    is the URI used to cause a UA to issue an HTTP request message.
    See also "Effective Request URI".
 UA:
    is an acronym for "user agent".  For the purposes of this
    specification, a UA is an HTTP client application typically
    actively manipulated by a user [RFC2616].
 unknown HSTS Host:
    is an HSTS Host that the user agent has not noted.

5. HSTS Mechanism Overview

 This section provides an overview of the mechanism by which an HSTS
 Host conveys its HSTS Policy to UAs and how UAs process the HSTS
 Policies received from HSTS Hosts.  The mechanism details are
 specified in Sections 6 through 15.

5.1. HSTS Host Declaration

 An HTTP host declares itself an HSTS Host by issuing to UAs an HSTS
 Policy, which is represented by and conveyed via the
 Strict-Transport-Security HTTP response header field over secure
 transport (e.g., TLS).  Upon error-free receipt and processing of
 this header by a conformant UA, the UA regards the host as a Known
 HSTS Host.

5.2. HSTS Policy

 An HSTS Policy directs UAs to communicate with a Known HSTS Host only
 over secure transport and specifies policy retention time duration.
 HSTS Policy explicitly overrides the UA processing of URI references,
 user input (e.g., via the "location bar"), or other information that,
 in the absence of HSTS Policy, might otherwise cause UAs to
 communicate insecurely with the Known HSTS Host.

Hodges, et al. Standards Track [Page 13] RFC 6797 HTTP Strict Transport Security (HSTS) November 2012

 An HSTS Policy may contain an optional directive -- includeSubDomains
 -- specifying that this HSTS Policy also applies to any hosts whose
 domain names are subdomains of the Known HSTS Host's domain name.

5.3. HSTS Policy Storage and Maintenance by User Agents

 UAs store and index HSTS Policies based strictly upon the domain
 names of the issuing HSTS Hosts.
 This means that UAs will maintain the HSTS Policy of any given HSTS
 Host separately from any HSTS Policies issued by any other HSTS Hosts
 whose domain names are superdomains or subdomains of the given HSTS
 Host's domain name.  Only the given HSTS Host can update or can cause
 deletion of its issued HSTS Policy.  It accomplishes this by sending
 Strict-Transport-Security HTTP response header fields to UAs with new
 values for policy time duration and subdomain applicability.  Thus,
 UAs cache the "freshest" HSTS Policy information on behalf of an HSTS
 Host.  Specifying a zero time duration signals the UA to delete the
 HSTS Policy (including any asserted includeSubDomains directive) for
 that HSTS Host.  See Section 8.1 ("Strict-Transport-Security Response
 Header Field Processing") for details.  Additionally, Section 6.2
 presents examples of Strict-Transport-Security HTTP response header
 fields.

5.4. User Agent HSTS Policy Enforcement

 When establishing an HTTP connection to a given host, however
 instigated, the UA examines its cache of Known HSTS Hosts to see if
 there are any with domain names that are superdomains of the given
 host's domain name.  If any are found, and of those if any have the
 includeSubDomains directive asserted, then HSTS Policy applies to the
 given host.  Otherwise, HSTS Policy applies to the given host only if
 the given host is itself known to the UA as an HSTS Host.  See
 Section 8.3 ("URI Loading and Port Mapping") for details.

6. Syntax

 This section defines the syntax of the Strict-Transport-Security HTTP
 response header field and its directives, and presents some examples.
 Section 7 ("Server Processing Model") then details how hosts employ
 this header field to declare their HSTS Policy, and Section 8 ("User
 Agent Processing Model") details how user agents process the header
 field and apply the HSTS Policy.

Hodges, et al. Standards Track [Page 14] RFC 6797 HTTP Strict Transport Security (HSTS) November 2012

6.1. Strict-Transport-Security HTTP Response Header Field

 The Strict-Transport-Security HTTP response header field (STS header
 field) indicates to a UA that it MUST enforce the HSTS Policy in
 regards to the host emitting the response message containing this
 header field.
 The ABNF (Augmented Backus-Naur Form) syntax for the STS header field
 is given below.  It is based on the Generic Grammar defined in
 Section 2 of [RFC2616] (which includes a notion of "implied linear
 whitespace", also known as "implied *LWS").
   Strict-Transport-Security = "Strict-Transport-Security" ":"
                               [ directive ]  *( ";" [ directive ] )
   directive                 = directive-name [ "=" directive-value ]
   directive-name            = token
   directive-value           = token | quoted-string
 where:
   token          = <token, defined in [RFC2616], Section 2.2>
   quoted-string  = <quoted-string, defined in [RFC2616], Section 2.2>
 The two directives defined in this specification are described below.
 The overall requirements for directives are:
 1.  The order of appearance of directives is not significant.
 2.  All directives MUST appear only once in an STS header field.
     Directives are either optional or required, as stipulated in
     their definitions.
 3.  Directive names are case-insensitive.
 4.  UAs MUST ignore any STS header field containing directives, or
     other header field value data, that does not conform to the
     syntax defined in this specification.
 5.  If an STS header field contains directive(s) not recognized by
     the UA, the UA MUST ignore the unrecognized directives, and if
     the STS header field otherwise satisfies the above requirements
     (1 through 4), the UA MUST process the recognized directives.
 Additional directives extending the semantic functionality of the STS
 header field can be defined in other specifications, with a registry
 (having an IANA policy definition of IETF Review [RFC5226]) defined
 for them at such time.

Hodges, et al. Standards Track [Page 15] RFC 6797 HTTP Strict Transport Security (HSTS) November 2012

 NOTE:  Such future directives will be ignored by UAs implementing
        only this specification, as well as by generally
        non-conforming UAs.  See Section 14.2 ("Non-Conformant User
        Agent Implications") for further discussion.

6.1.1. The max-age Directive

 The REQUIRED "max-age" directive specifies the number of seconds,
 after the reception of the STS header field, during which the UA
 regards the host (from whom the message was received) as a Known HSTS
 Host.  See also Section 8.1.1 ("Noting an HSTS Host - Storage
 Model").  The delta-seconds production is specified in [RFC2616].
 The syntax of the max-age directive's REQUIRED value (after
 quoted-string unescaping, if necessary) is defined as:
  max-age-value = delta-seconds
  delta-seconds = <1*DIGIT, defined in [RFC2616], Section 3.3.2>
 NOTE:  A max-age value of zero (i.e., "max-age=0") signals the UA to
        cease regarding the host as a Known HSTS Host, including the
        includeSubDomains directive (if asserted for that HSTS Host).
        See also Section 8.1 ("Strict-Transport-Security Response
        Header Field Processing").

6.1.2. The includeSubDomains Directive

 The OPTIONAL "includeSubDomains" directive is a valueless directive
 which, if present (i.e., it is "asserted"), signals the UA that the
 HSTS Policy applies to this HSTS Host as well as any subdomains of
 the host's domain name.

6.2. Examples

 The HSTS header field below stipulates that the HSTS Policy is to
 remain in effect for one year (there are approximately 31536000
 seconds in a year), and the policy applies only to the domain of the
 HSTS Host issuing it:
   Strict-Transport-Security: max-age=31536000
 The HSTS header field below stipulates that the HSTS Policy is to
 remain in effect for approximately six months and that the policy
 applies to the domain of the issuing HSTS Host and all of its
 subdomains:
   Strict-Transport-Security: max-age=15768000 ; includeSubDomains

Hodges, et al. Standards Track [Page 16] RFC 6797 HTTP Strict Transport Security (HSTS) November 2012

 The max-age directive value can optionally be quoted:
   Strict-Transport-Security: max-age="31536000"
 The HSTS header field below indicates that the UA must delete the
 entire HSTS Policy associated with the HSTS Host that sent the header
 field:
   Strict-Transport-Security: max-age=0
 The HSTS header field below has exactly the same effect as the one
 immediately above because the includeSubDomains directive's presence
 in the HSTS header field is ignored when max-age is zero:
   Strict-Transport-Security: max-age=0; includeSubDomains

7. Server Processing Model

 This section describes the processing model that HSTS Hosts
 implement.  The model comprises two facets: the first being the
 processing rules for HTTP request messages received over a secure
 transport (TLS [RFC5246] or SSL [RFC6101]; see also Section 14.1
 ("Underlying Secure Transport Considerations")), and the second being
 the processing rules for HTTP request messages received over
 non-secure transports, such as TCP.

7.1. HTTP-over-Secure-Transport Request Type

 When replying to an HTTP request that was conveyed over a secure
 transport, an HSTS Host SHOULD include in its response message an STS
 header field that MUST satisfy the grammar specified above in
 Section 6.1 ("Strict-Transport-Security HTTP Response Header Field").
 If an STS header field is included, the HSTS Host MUST include only
 one such header field.
 Establishing a given host as a Known HSTS Host, in the context of a
 given UA, MAY be accomplished over HTTP, which is in turn running
 over secure transport, by correctly returning (per this
 specification) at least one valid STS header field to the UA.  Other
 mechanisms, such as a client-side pre-loaded Known HSTS Host list,
 MAY also be used; e.g., see Section 12 ("User Agent Implementation
 Advice").
 NOTE:  Including the STS header field is stipulated as a "SHOULD" in
        order to accommodate various server- and network-side caches
        and load-balancing configurations where it may be difficult to
        uniformly emit STS header fields on behalf of a given HSTS
        Host.

Hodges, et al. Standards Track [Page 17] RFC 6797 HTTP Strict Transport Security (HSTS) November 2012

7.2. HTTP Request Type

 If an HSTS Host receives an HTTP request message over a non-secure
 transport, it SHOULD send an HTTP response message containing a
 status code indicating a permanent redirect, such as status code 301
 (Section 10.3.2 of [RFC2616]), and a Location header field value
 containing either the HTTP request's original Effective Request URI
 (see Section 9 ("Constructing an Effective Request URI")) altered as
 necessary to have a URI scheme of "https", or a URI generated
 according to local policy with a URI scheme of "https".
 NOTE:  The above behavior is a "SHOULD" rather than a "MUST" due to:
  • Risks in server-side non-secure-to-secure redirects

[OWASP-TLSGuide].

  • Site deployment characteristics. For example, a site that

incorporates third-party components may not behave correctly

       when doing server-side non-secure-to-secure redirects in the
       case of being accessed over non-secure transport but does
       behave correctly when accessed uniformly over secure transport.
       The latter is the case given an HSTS-capable UA that has
       already noted the site as a Known HSTS Host (by whatever means,
       e.g., prior interaction or UA configuration).
 An HSTS Host MUST NOT include the STS header field in HTTP responses
 conveyed over non-secure transport.

8. User Agent Processing Model

 This section describes the HTTP Strict Transport Security processing
 model for UAs.  There are several facets to the model, enumerated by
 the following subsections.
 This processing model assumes that the UA implements IDNA2008
 [RFC5890], or possibly IDNA2003 [RFC3490], as noted in Section 13
 ("Internationalized Domain Names for Applications (IDNA): Dependency
 and Migration").  It also assumes that all domain names manipulated
 in this specification's context are already IDNA-canonicalized as
 outlined in Section 10 ("Domain Name IDNA-Canonicalization") prior to
 the processing specified in this section.
    NOTE:  [RFC3490] is referenced due to its ongoing relevance to
           actual deployments for the foreseeable future.
 The above assumptions mean that this processing model also
 specifically assumes that appropriate IDNA and Unicode validations
 and character list testing have occurred on the domain names, in

Hodges, et al. Standards Track [Page 18] RFC 6797 HTTP Strict Transport Security (HSTS) November 2012

 conjunction with their IDNA-canonicalization, prior to the processing
 specified in this section.  See the IDNA-specific security
 considerations in Section 14.10 ("Internationalized Domain Names")
 for rationale and further details.

8.1. Strict-Transport-Security Response Header Field Processing

 If an HTTP response, received over a secure transport, includes an
 STS header field, conforming to the grammar specified in Section 6.1
 ("Strict-Transport-Security HTTP Response Header Field"), and there
 are no underlying secure transport errors or warnings (see
 Section 8.4), the UA MUST either:
 o  Note the host as a Known HSTS Host if it is not already so noted
    (see Section 8.1.1 ("Noting an HSTS Host - Storage Model")),
 or
 o  Update the UA's cached information for the Known HSTS Host if
    either or both of the max-age and includeSubDomains header field
    value tokens are conveying information different than that already
    maintained by the UA.
    The max-age value is essentially a "time to live" value relative
    to the reception time of the STS header field.
    If the max-age header field value token has a value of zero, the
    UA MUST remove its cached HSTS Policy information (including the
    includeSubDomains directive, if asserted) if the HSTS Host is
    known, or the UA MUST NOT note this HSTS Host if it is not yet
    known.
    If a UA receives more than one STS header field in an HTTP
    response message over secure transport, then the UA MUST process
    only the first such header field.
 Otherwise:
 o  If an HTTP response is received over insecure transport, the UA
    MUST ignore any present STS header field(s).
 o  The UA MUST ignore any STS header fields not conforming to the
    grammar specified in Section 6.1 ("Strict-Transport-Security HTTP
    Response Header Field").

Hodges, et al. Standards Track [Page 19] RFC 6797 HTTP Strict Transport Security (HSTS) November 2012

8.1.1. Noting an HSTS Host - Storage Model

 If the substring matching the host production from the Request-URI
 (of the message to which the host responded) syntactically matches
 the IP-literal or IPv4address productions from Section 3.2.2 of
 [RFC3986], then the UA MUST NOT note this host as a Known HSTS Host.
 Otherwise, if the substring does not congruently match a Known HSTS
 Host's domain name, per the matching procedure specified in
 Section 8.2 ("Known HSTS Host Domain Name Matching"), then the UA
 MUST note this host as a Known HSTS Host, caching the HSTS Host's
 domain name and noting along with it the expiry time of this
 information, as effectively stipulated per the given max-age value,
 as well as whether the includeSubDomains directive is asserted or
 not.  See also Section 11.2 ("HSTS Policy Expiration Time
 Considerations").
 The UA MUST NOT modify the expiry time or the includeSubDomains
 directive of any superdomain matched Known HSTS Host.
 A Known HSTS Host is "expired" if its cache entry has an expiry date
 in the past.  The UA MUST evict all expired Known HSTS Hosts from its
 cache if, at any time, an expired Known HSTS Host exists in the
 cache.

8.2. Known HSTS Host Domain Name Matching

 A given domain name may match a Known HSTS Host's domain name in one
 or both of two fashions: a congruent match, or a superdomain match.
 Alternatively, there may be no match.
 The steps below determine whether there are any matches, and if so,
 of which fashion:
    Compare the given domain name with the domain name of each of the
    UA's unexpired Known HSTS Hosts.  For each Known HSTS Host's
    domain name, the comparison is done with the given domain name
    label-by-label (comparing only labels) using an ASCII case-
    insensitive comparison beginning with the rightmost label, and
    continuing right-to-left.  See also Section 2.3.2.4 of [RFC5890].
  • Superdomain Match
       If a label-for-label match between an entire Known HSTS Host's
       domain name and a right-hand portion of the given domain name
       is found, then this Known HSTS Host's domain name is a
       superdomain match for the given domain name.  There could be
       multiple superdomain matches for a given domain name.

Hodges, et al. Standards Track [Page 20] RFC 6797 HTTP Strict Transport Security (HSTS) November 2012

       For example:
          Given domain name (DN):   qaz.bar.foo.example.com
          Superdomain matched
          Known HSTS Host DN:           bar.foo.example.com
          Superdomain matched
          Known HSTS Host DN:               foo.example.com
  • Congruent Match
       If a label-for-label match between a Known HSTS Host's domain
       name and the given domain name is found -- i.e., there are no
       further labels to compare -- then the given domain name
       congruently matches this Known HSTS Host.
       For example:
          Given domain name:                foo.example.com
          Congruently matched
          Known HSTS Host DN:               foo.example.com
  • Otherwise, if no matches are found, the given domain name does

not represent a Known HSTS Host.

8.3. URI Loading and Port Mapping

 Whenever the UA prepares to "load" (also known as "dereference") any
 "http" URI [RFC3986] (including when following HTTP redirects
 [RFC2616]), the UA MUST first determine whether a domain name is
 given in the URI and whether it matches a Known HSTS Host, using
 these steps:
 1.  Extract from the URI any substring described by the host
     component of the authority component of the URI.
 2.  If the substring is null, then there is no match with any Known
     HSTS Host.
 3.  Else, if the substring is non-null and syntactically matches the
     IP-literal or IPv4address productions from Section 3.2.2 of
     [RFC3986], then there is no match with any Known HSTS Host.

Hodges, et al. Standards Track [Page 21] RFC 6797 HTTP Strict Transport Security (HSTS) November 2012

 4.  Otherwise, the substring is a given domain name, which MUST be
     matched against the UA's Known HSTS Hosts using the procedure in
     Section 8.2 ("Known HSTS Host Domain Name Matching").
 5.  If, when performing domain name matching any superdomain match
     with an asserted includeSubDomains directive is found, or, if no
     superdomain matches with asserted includeSubDomains directives
     are found and a congruent match is found (with or without an
     asserted includeSubDomains directive), then before proceeding
     with the load:
        The UA MUST replace the URI scheme with "https" [RFC2818], and
        if the URI contains an explicit port component of "80", then
        the UA MUST convert the port component to be "443", or
        if the URI contains an explicit port component that is not
        equal to "80", the port component value MUST be preserved;
        otherwise,
        if the URI does not contain an explicit port component, the UA
        MUST NOT add one.
        NOTE:  These steps ensure that the HSTS Policy applies to HTTP
               over any TCP port of an HSTS Host.
 NOTE:  In the case where an explicit port is provided (and to a
        lesser extent with subdomains), it is reasonably likely that
        there is actually an HTTP (i.e., non-secure) server running on
        the specified port and that an HTTPS request will thus fail
        (see item 6 in Appendix A ("Design Decision Notes")).

8.4. Errors in Secure Transport Establishment

 When connecting to a Known HSTS Host, the UA MUST terminate the
 connection (see also Section 12 ("User Agent Implementation Advice"))
 if there are any errors, whether "warning" or "fatal" or any other
 error level, with the underlying secure transport.  For example, this
 includes any errors found in certificate validity checking that UAs
 employ, such as via Certificate Revocation Lists (CRLs) [RFC5280], or
 via the Online Certificate Status Protocol (OCSP) [RFC2560], as well
 as via TLS server identity checking [RFC6125].

8.5. HTTP-Equiv <Meta> Element Attribute

 UAs MUST NOT heed http-equiv="Strict-Transport-Security" attribute
 settings on <meta> elements [W3C.REC-html401-19991224] in received
 content.

Hodges, et al. Standards Track [Page 22] RFC 6797 HTTP Strict Transport Security (HSTS) November 2012

8.6. Missing Strict-Transport-Security Response Header Field

 If a UA receives HTTP responses from a Known HSTS Host over a secure
 channel but the responses are missing the STS header field, the UA
 MUST continue to treat the host as a Known HSTS Host until the
 max-age value for the knowledge of that Known HSTS Host is reached.
 Note that the max-age value could be effectively infinite for a given
 Known HSTS Host.  For example, this would be the case if the Known
 HSTS Host is part of a pre-configured list that is implemented such
 that the list entries never "age out".

9. Constructing an Effective Request URI

 This section specifies how an HSTS Host must construct the Effective
 Request URI for a received HTTP request.
 HTTP requests often do not carry an absoluteURI for the target
 resource; instead, the URI needs to be inferred from the Request-URI,
 Host header field, and connection context ([RFC2616], Sections 3.2.1,
 5.1.2, and 5.2).  The result of this process is called the "effective
 request URI (ERU)".  The "target resource" is the resource identified
 by the effective request URI.

9.1. ERU Fundamental Definitions

 The first line of an HTTP request message, Request-Line, is specified
 by the following ABNF from [RFC2616], Section 5.1:
   Request-Line   = Method SP Request-URI SP HTTP-Version CRLF
 The Request-URI, within the Request-Line, is specified by the
 following ABNF from [RFC2616], Section 5.1.2:
   Request-URI    = "*" | absoluteURI | abs_path | authority
 The Host request header field is specified by the following ABNF from
 [RFC2616], Section 14.23:
   Host = "Host" ":" host [ ":" port ]

Hodges, et al. Standards Track [Page 23] RFC 6797 HTTP Strict Transport Security (HSTS) November 2012

9.2. Determining the Effective Request URI

 If the Request-URI is an absoluteURI, then the effective request URI
 is the Request-URI.
 If the Request-URI uses the abs_path form or the asterisk form, and
 the Host header field is present, then the effective request URI is
 constructed by concatenating:
 o  the scheme name: "http" if the request was received over an
    insecure TCP connection, or "https" when received over a TLS/
    SSL-secured TCP connection, and
 o  the octet sequence "://", and
 o  the host, and the port (if present), from the Host header field,
    and
 o  the Request-URI obtained from the Request-Line, unless the
    Request-URI is just the asterisk "*".
 If the Request-URI uses the abs_path form or the asterisk form, and
 the Host header field is not present, then the effective request URI
 is undefined.
 Otherwise, when Request-URI uses the authority form, the effective
 request URI is undefined.
 Effective request URIs are compared using the rules described in
 [RFC2616] Section 3.2.3, except that empty path components MUST NOT
 be treated as equivalent to an absolute path of "/".

9.2.1. Effective Request URI Examples

 Example 1: the effective request URI for the message
   GET /pub/WWW/TheProject.html HTTP/1.1
   Host: www.example.org:8080
 (received over an insecure TCP connection) is "http", plus "://",
 plus the authority component "www.example.org:8080", plus the
 request-target "/pub/WWW/TheProject.html".  Thus, it is
 "http://www.example.org:8080/pub/WWW/TheProject.html".

Hodges, et al. Standards Track [Page 24] RFC 6797 HTTP Strict Transport Security (HSTS) November 2012

 Example 2: the effective request URI for the message
   OPTIONS * HTTP/1.1
   Host: www.example.org
 (received over an SSL/TLS secured TCP connection) is "https", plus
 "://", plus the authority component "www.example.org".  Thus, it is
 "https://www.example.org".

10. Domain Name IDNA-Canonicalization

 An IDNA-canonicalized domain name is the output string generated by
 the following steps.  The input is a putative domain name string
 ostensibly composed of any combination of "A-labels", "U-labels", and
 "NR-LDH labels" (see Section 2 of [RFC5890]) concatenated using some
 separator character (typically ".").
 1.  Convert the input putative domain name string to an order-
     preserving sequence of individual label strings.
 2.  When implementing IDNA2008, convert, validate, and test each
     A-label and U-label found among the sequence of individual label
     strings, using the procedures defined in Sections 5.3 through 5.5
     of [RFC5891].
     Otherwise, when implementing IDNA2003, convert each label using
     the "ToASCII" conversion in Section 4 of [RFC3490] (see also the
     definition of "equivalence of labels" in Section 2 of [RFC3490]).
 3.  If no errors occurred during the foregoing step, concatenate all
     the labels in the sequence, in order, into a string, separating
     each label from the next with a %x2E (".") character.  The
     resulting string, known as an IDNA-canonicalized domain name, is
     appropriate for use in the context of Section 8 ("User Agent
     Processing Model").
     Otherwise, errors occurred.  The input putative domain name
     string was not successfully IDNA-canonicalized.  Invokers of this
     procedure should attempt appropriate error recovery.
 See also Sections 13 ("Internationalized Domain Names for
 Applications (IDNA): Dependency and Migration") and 14.10
 ("Internationalized Domain Names") of this specification for further
 details and considerations.

Hodges, et al. Standards Track [Page 25] RFC 6797 HTTP Strict Transport Security (HSTS) November 2012

11. Server Implementation and Deployment Advice

 This section is non-normative.

11.1. Non-Conformant User Agent Considerations

 Non-conformant UAs ignore the Strict-Transport-Security header field;
 thus, non-conformant user agents do not address the threats described
 in Section 2.3.1 ("Threats Addressed").  Please refer to Section 14.2
 ("Non-Conformant User Agent Implications") for further discussion.

11.2. HSTS Policy Expiration Time Considerations

 Server implementations and deploying web sites need to consider
 whether they are setting an expiry time that is a constant value into
 the future, or whether they are setting an expiry time that is a
 fixed point in time.
 The "constant value into the future" approach can be accomplished by
 constantly sending the same max-age value to UAs.
 For example, a max-age value of 7776000 seconds is 90 days:
   Strict-Transport-Security: max-age=7776000
 Note that each receipt of this header by a UA will require the UA to
 update its notion of when it must delete its knowledge of this Known
 HSTS Host.
 The "fixed point in time" approach can be accomplished by sending
 max-age values that represent the remaining time until the desired
 expiry time.  This would require the HSTS Host to send a newly
 calculated max-age value in each HTTP response.
 A consideration here is whether a deployer wishes to have the
 signaled HSTS Policy expiry time match that for the web site's domain
 certificate.
 Additionally, server implementers should consider employing a default
 max-age value of zero in their deployment configuration systems.
 This will require deployers to willfully set max-age in order to have
 UAs enforce the HSTS Policy for their host and will protect them from
 inadvertently enabling HSTS with some arbitrary non-zero duration.

Hodges, et al. Standards Track [Page 26] RFC 6797 HTTP Strict Transport Security (HSTS) November 2012

11.3. Using HSTS in Conjunction with Self-Signed Public-Key

     Certificates
 If all four of the following conditions are true...
 o  a web site/organization/enterprise is generating its own secure
    transport public-key certificates for web sites, and
 o  that organization's root certification authority (CA) certificate
    is not typically embedded by default in browser and/or operating
    system CA certificate stores, and
 o  HSTS Policy is enabled on a host identifying itself using a
    certificate signed by the organization's CA (i.e., a "self-signed
    certificate"), and
 o  this certificate does not match a usable TLS certificate
    association (as defined by Section 4 of the TLSA protocol
    specification [RFC6698]),
 ...then secure connections to that site will fail, per the HSTS
 design.  This is to protect against various active attacks, as
 discussed above.
 However, if said organization wishes to employ its own CA, and self-
 signed certificates, in concert with HSTS, it can do so by deploying
 its root CA certificate to its users' browsers or operating system CA
 root certificate stores.  It can also, in addition or instead,
 distribute to its users' browsers the end-entity certificate(s) for
 specific hosts.  There are various ways in which this can be
 accomplished (details are out of scope for this specification).  Once
 its root CA certificate is installed in the browsers, it may employ
 HSTS Policy on its site(s).
 Alternatively, that organization can deploy the TLSA protocol; all
 browsers that also use TLSA will then be able to trust the
 certificates identified by usable TLS certificate associations as
 denoted via TLSA.
 NOTE:  Interactively distributing root CA certificates to users,
        e.g., via email, and having the users install them, is
        arguably training the users to be susceptible to a possible
        form of phishing attack.  See Section 14.8 ("Bogus Root CA
        Certificate Phish plus DNS Cache Poisoning Attack").  Thus,
        care should be taken in the manner in which such certificates
        are distributed and installed on users' systems and browsers.

Hodges, et al. Standards Track [Page 27] RFC 6797 HTTP Strict Transport Security (HSTS) November 2012

11.4. Implications of includeSubDomains

 The includeSubDomains directive has practical implications meriting
 careful consideration; two example scenarios are:
 o  An HSTS Host offers unsecured HTTP-based services on alternate
    ports or at various subdomains of its HSTS Host domain name.
 o  Distinct web applications are offered at distinct subdomains of an
    HSTS Host, such that UAs often interact directly with these
    subdomain web applications without having necessarily interacted
    with a web application offered at the HSTS Host's domain name (if
    any).
 The sections below discuss each of these scenarios in turn.

11.4.1. Considerations for Offering Unsecured HTTP Services at

       Alternate Ports or Subdomains of an HSTS Host
 For example, certification authorities often offer their CRL
 distribution and OCSP services [RFC2560] over plain HTTP, and
 sometimes at a subdomain of a publicly available web application that
 may be secured by TLS/SSL.  For example, <https://ca.example.com/> is
 a publicly available web application for "Example CA", a
 certification authority.  Customers use this web application to
 register their public keys and obtain certificates.  "Example CA"
 generates certificates for customers containing
 <http://crl-and-ocsp.ca.example.com/> as the value for the "CRL
 Distribution Points" and "Authority Information Access:OCSP"
 certificate fields.
 If ca.example.com were to issue an HSTS Policy with the
 includeSubDomains directive, then HTTP-based user agents implementing
 HSTS that have interacted with the ca.example.com web application
 would fail to retrieve CRLs and fail to check OCSP for certificates,
 because these services are offered over plain HTTP.
 In this case, Example CA can either:
 o  not use the includeSubDomains directive, or
 o  ensure that HTTP-based services offered at subdomains of
    ca.example.com are also uniformly offered over TLS/SSL, or

Hodges, et al. Standards Track [Page 28] RFC 6797 HTTP Strict Transport Security (HSTS) November 2012

 o  offer plain HTTP-based services at a different domain name, e.g.,
    crl-and-ocsp.ca.example.NET, or
 o  utilize an alternative approach to distributing certificate status
    information, obviating the need to offer CRL distribution and OCSP
    services over plain HTTP (e.g., the "Certificate Status Request"
    TLS extension [RFC6066], often colloquially referred to as "OCSP
    Stapling").
 NOTE:  The above points are expressly only an example and do not
        purport to address all the involved complexities.  For
        instance, there are many considerations -- on the part of CAs,
        certificate deployers, and applications (e.g., browsers) --
        involved in deploying an approach such as "OCSP Stapling".
        Such issues are out of scope for this specification.

11.4.2. Considerations for Offering Web Applications at Subdomains of

       an HSTS Host
 In this scenario, an HSTS Host declares an HSTS Policy with an
 includeSubDomains directive, and there also exist distinct web
 applications offered at distinct subdomains of the HSTS Host such
 that UAs often interact directly with these subdomain web
 applications without having necessarily interacted with the HSTS
 Host.  In such a case, the UAs will not receive or enforce the HSTS
 Policy.
 For example, the HSTS Host is "example.com", and it is configured to
 emit the STS header field with the includeSubDomains directive.
 However, example.com's actual web application is addressed at
 "www.example.com", and example.com simply redirects user agents to
 "https://www.example.com/".
 If the STS header field is only emitted by "example.com" but UAs
 typically bookmark -- and links (from anywhere on the web) are
 typically established to -- "www.example.com", and "example.com" is
 not contacted directly by all user agents in some non-zero percentage
 of interactions, then some number of UAs will not note "example.com"
 as an HSTS Host, and some number of users of "www.example.com" will
 be unprotected by HSTS Policy.
 To address this, HSTS Hosts should be configured such that the STS
 header field is emitted directly at each HSTS Host domain or
 subdomain name that constitutes a well-known "entry point" to one's
 web application(s), whether or not the includeSubDomains directive is
 employed.

Hodges, et al. Standards Track [Page 29] RFC 6797 HTTP Strict Transport Security (HSTS) November 2012

 Thus, in our example, if the STS header field is emitted from both
 "example.com" and "www.example.com", this issue will be addressed.
 Also, if there are any other well-known entry points to web
 applications offered by "example.com", such as "foo.example.com",
 they should also be configured to emit the STS header field.

12. User Agent Implementation Advice

 This section is non-normative.
 In order to provide users and web sites more effective protection, as
 well as controls for managing their UA's caching of HSTS Policy, UA
 implementers should consider including features such as the
 following:

12.1. No User Recourse

 Failing secure connection establishment on any warnings or errors
 (per Section 8.4 ("Errors in Secure Transport Establishment")) should
 be done with "no user recourse".  This means that the user should not
 be presented with a dialog giving her the option to proceed.  Rather,
 it should be treated similarly to a server error where there is
 nothing further the user can do with respect to interacting with the
 target web application, other than wait and retry.
 Essentially, "any warnings or errors" means anything that would cause
 the UA implementation to announce to the user that something is not
 entirely correct with the connection establishment.
 Not doing this, i.e., allowing user recourse such as "clicking
 through warning/error dialogs", is a recipe for a man-in-the-middle
 attack.  If a web application issues an HSTS Policy, then it is
 implicitly opting into the "no user recourse" approach, whereby all
 certificate errors or warnings cause a connection termination, with
 no chance to "fool" users into making the wrong decision and
 compromising themselves.

12.2. User-Declared HSTS Policy

 A user-declared HSTS Policy is the ability for users to explicitly
 declare a given domain name as representing an HSTS Host, thus
 seeding it as a Known HSTS Host before any actual interaction with
 it.  This would help protect against the bootstrap MITM vulnerability
 as discussed in Section 14.6 ("Bootstrap MITM Vulnerability").

Hodges, et al. Standards Track [Page 30] RFC 6797 HTTP Strict Transport Security (HSTS) November 2012

 NOTE:  Such a feature is difficult to get right on a per-site basis.
        See the discussion of "rewrite rules" in Section 5.5 of
        [ForceHTTPS].  For example, arbitrary web sites may not
        materialize all their URIs using the "https" scheme and thus
        could "break" if a UA were to attempt to access the site
        exclusively using such URIs.  Also note that this feature
        would complement, but is independent of, an "HSTS pre-loaded
        list" feature (see Section 12.3).

12.3. HSTS Pre-Loaded List

 An HSTS pre-loaded list is a facility whereby web site administrators
 can have UAs pre-configured with HSTS Policy for their site(s) by the
 UA vendor(s) -- a so-called "pre-loaded list" -- in a manner similar
 to how root CA certificates are embedded in browsers "at the
 factory".  This would help protect against the bootstrap MITM
 vulnerability (Section 14.6).
 NOTE:  Such a facility would complement a "user-declared HSTS Policy"
        feature (Section 12.2).

12.4. Disallow Mixed Security Context Loads

 "Mixed security context" loads happen when a web application
 resource, fetched by the UA over a secure transport, subsequently
 causes the fetching of one or more other resources without using
 secure transport.  This is also generally referred to as "mixed
 content" loads (see Section 5.3 ("Mixed Content") in
 [W3C.REC-wsc-ui-20100812]) but should not be confused with the same
 "mixed content" term that is also used in the context of markup
 languages such as XML and HTML.
 NOTE:  In order to provide behavioral uniformity across UA
        implementations, the notion of mixed security context will
        require further standardization work, e.g., to define the
        term(s) more clearly and to define specific behaviors with
        respect to it.

12.5. HSTS Policy Deletion

 HSTS Policy deletion is the ability to delete a UA's cached HSTS
 Policy on a per-HSTS Host basis.
 NOTE:  Adding such a feature should be done very carefully in both
        the user interface and security senses.  Deleting a cache
        entry for a Known HSTS Host should be a very deliberate and
        well-considered act -- it shouldn't be something that users
        get used to doing as a matter of course: e.g., just "clicking

Hodges, et al. Standards Track [Page 31] RFC 6797 HTTP Strict Transport Security (HSTS) November 2012

        through" in order to get work done.  Also, implementations
        need to guard against allowing an attacker to inject code,
        e.g., ECMAscript, into the UA that silently and
        programmatically removes entries from the UA's cache of Known
        HSTS Hosts.

13. Internationalized Domain Names for Applications (IDNA): Dependency

   and Migration
 Textual domain names on the modern Internet may contain one or more
 "internationalized" domain name labels.  Such domain names are
 referred to as "internationalized domain names" (IDNs).  The
 specification suites defining IDNs and the protocols for their use
 are named "Internationalized Domain Names for Applications (IDNA)".
 At this time, there are two such specification suites: IDNA2008
 [RFC5890] and its predecessor IDNA2003 [RFC3490].
 IDNA2008 obsoletes IDNA2003, but there are differences between the
 two specifications, and thus there can be differences in processing
 (e.g., converting) domain name labels that have been registered under
 one from those registered under the other.  There will be a
 transition period of some time during which IDNA2003-based domain
 name labels will exist in the wild.  In order to facilitate their
 IDNA transition, user agents SHOULD implement IDNA2008 [RFC5890] and
 MAY implement [RFC5895] (see also Section 7 of [RFC5894]) or [UTS46].
 If a user agent does not implement IDNA2008, the user agent MUST
 implement IDNA2003.

14. Security Considerations

 This specification concerns the expression, conveyance, and
 enforcement of the HSTS Policy.  The overall HSTS Policy threat
 model, including addressed and unaddressed threats, is given in
 Section 2.3 ("Threat Model").
 Additionally, the sections below discuss operational ramifications of
 the HSTS Policy, provide feature rationale, discuss potential HSTS
 Policy misuse, and highlight some known vulnerabilities in the HSTS
 Policy regime.

14.1. Underlying Secure Transport Considerations

 This specification is fashioned to be independent of the secure
 transport underlying HTTP.  However, the threat analysis and
 requirements in Section 2 ("Overview") in fact presume TLS or SSL as
 the underlying secure transport.  Thus, employment of HSTS in the
 context of HTTP running over some other secure transport protocol
 would require assessment of that secure transport protocol's security

Hodges, et al. Standards Track [Page 32] RFC 6797 HTTP Strict Transport Security (HSTS) November 2012

 model in conjunction with the specifics of how HTTP is layered over
 it in order to assess HSTS's subsequent security properties in that
 context.

14.2. Non-Conformant User Agent Implications

 Non-conformant user agents ignore the Strict-Transport-Security
 header field; thus, non-conformant user agents do not address the
 threats described in Section 2.3.1 ("Threats Addressed").
 This means that the web application and its users wielding
 non-conformant UAs will be vulnerable to both of the following:
 o  Passive network attacks due to web site development and deployment
    bugs:
       For example, if the web application contains any insecure
       references (e.g., "http") to the web application server, and if
       not all of its cookies are flagged as "Secure", then its
       cookies will be vulnerable to passive network sniffing and,
       potentially, subsequent misuse of user credentials.
 o  Active network attacks:
       For example, if an attacker is able to place a "man in the
       middle", secure transport connection attempts will likely yield
       warnings to the user, but without HSTS Policy being enforced,
       the present common practice is to allow the user to "click
       through" and proceed.  This renders the user and possibly the
       web application open to abuse by such an attacker.
 This is essentially the status quo for all web applications and their
 users in the absence of HSTS Policy.  Since web application providers
 typically do not control the type or version of UAs their web
 applications interact with, the implication is that HSTS Host
 deployers must generally exercise the same level of care to avoid web
 site development and deployment bugs (see Section 2.3.1.3) as they
 would if they were not asserting HSTS Policy.

14.3. Ramifications of HSTS Policy Establishment Only over Error-Free

     Secure Transport
 The user agent processing model defined in Section 8 ("User Agent
 Processing Model") stipulates that a host is initially noted as a
 Known HSTS Host, or that updates are made to a Known HSTS Host's
 cached information, only if the UA receives the STS header field over
 a secure transport connection having no underlying secure transport
 errors or warnings.

Hodges, et al. Standards Track [Page 33] RFC 6797 HTTP Strict Transport Security (HSTS) November 2012

 The rationale behind this is that if there is a "man in the middle"
 (MITM) -- whether a legitimately deployed proxy or an illegitimate
 entity -- it could cause various mischief (see also Appendix A
 ("Design Decision Notes") item 3, as well as Section 14.6 ("Bootstrap
 MITM Vulnerability")); for example:
 o  Unauthorized notation of the host as a Known HSTS Host,
    potentially leading to a denial-of-service situation if the host
    does not uniformly offer its services over secure transport (see
    also Section 14.5 ("Denial of Service")).
 o  Resetting the time to live for the host's designation as a Known
    HSTS Host by manipulating the max-age header field parameter value
    that is returned to the UA.  If max-age is returned as zero, this
    will cause the host to cease being regarded as a Known HSTS Host
    by the UA, leading to either insecure connections to the host or
    possibly denial of service if the host delivers its services only
    over secure transport.
 However, this means that if a UA is "behind" a MITM non-transparent
 TLS proxy -- within a corporate intranet, for example -- and
 interacts with an unknown HSTS Host beyond the proxy, the user could
 possibly be presented with the legacy secure connection error
 dialogs.  Even if the risk is accepted and the user "clicks through",
 the host will not be noted as an HSTS Host.  Thus, as long as the UA
 is behind such a proxy, the user will be vulnerable and will possibly
 be presented with the legacy secure connection error dialogs for
 as-yet unknown HSTS Hosts.
 Once the UA successfully connects to an unknown HSTS Host over error-
 free secure transport, the host will be noted as a Known HSTS Host.
 This will result in the failure of subsequent connection attempts
 from behind interfering proxies.
 The above discussion relates to the recommendation in Section 12
 ("User Agent Implementation Advice") that the secure connection be
 terminated with "no user recourse" whenever there are warnings and
 errors and the host is a Known HSTS Host.  Such a posture protects
 users from "clicking through" security warnings and putting
 themselves at risk.

14.4. The Need for includeSubDomains

 Without the includeSubDomains directive, a web application would not
 be able to adequately protect so-called "domain cookies" (even if
 these cookies have their "Secure" flag set and thus are conveyed only
 on secure channels).  These are cookies the web application expects
 UAs to return to any and all subdomains of the web application.

Hodges, et al. Standards Track [Page 34] RFC 6797 HTTP Strict Transport Security (HSTS) November 2012

 For example, suppose example.com represents the top-level DNS name
 for a web application.  Further suppose that this cookie is set for
 the entire example.com domain, i.e., it is a "domain cookie", and it
 has its Secure flag set.  Suppose example.com is a Known HSTS Host
 for this UA, but the includeSubDomains directive is not set.
 Now, if an attacker causes the UA to request a subdomain name that is
 unlikely to already exist in the web application, such as
 "https://uxdhbpahpdsf.example.com/", but that the attacker has
 managed to register in the DNS and point at an HTTP server under the
 attacker's control, then:
 1.  The UA is unlikely to already have an HSTS Policy established for
     "uxdhbpahpdsf.example.com".
 2.  The HTTP request sent to uxdhbpahpdsf.example.com will include
     the Secure-flagged domain cookie.
 3.  If "uxdhbpahpdsf.example.com" returns a certificate during TLS
     establishment, and the user "clicks through" any warning that
     might be presented (it is possible, but not certain, that one may
     obtain a requisite certificate for such a domain name such that a
     warning may or may not appear), then the attacker can obtain the
     Secure-flagged domain cookie that's ostensibly being protected.
 Without the "includeSubDomains" directive, HSTS is unable to protect
 such Secure-flagged domain cookies.

14.5. Denial of Service

 HSTS could be used to mount certain forms of Denial-of-Service (DoS)
 attacks against web sites.  A DoS attack is an attack in which one or
 more network entities target a victim entity and attempt to prevent
 the victim from doing useful work.  This section discusses such
 scenarios in terms of HSTS, though this list is not exhaustive.  See
 also [RFC4732] for a discussion of overall Internet DoS
 considerations.
 o  Web applications available over HTTP
    There is an opportunity for perpetrating DoS attacks with web
    applications (or critical portions of them) that are available
    only over HTTP without secure transport, if attackers can cause
    UAs to set HSTS Policy for such web applications' host(s).
    This is because once the HSTS Policy is set for a web
    application's host in a UA, the UA will only use secure transport
    to communicate with the host.  If the host is not using secure

Hodges, et al. Standards Track [Page 35] RFC 6797 HTTP Strict Transport Security (HSTS) November 2012

    transport or is not using it for critical portions of its web
    application, then the web application will be rendered unusable
    for the UA's user.
    NOTE:  This is a use case for UAs to offer an "HSTS Policy
           deletion" feature as noted in Section 12.5 ("HSTS Policy
           Deletion").
    An HSTS Policy can be set for a victim host in various ways:
  • If the web application has an HTTP response splitting

vulnerability [CWE-113] (which can be abused in order to

       facilitate "HTTP header injection").
  • If an attacker can spoof a redirect from an insecure victim

site, e.g., <http://example.com/> to <https://example.com/>,

       where the latter is attacker-controlled and has an apparently
       valid certificate.  In this situation, the attacker can then
       set an HSTS Policy for example.com and also for all subdomains
       of example.com.
  • If an attacker can convince users to manually configure HSTS

Policy for a victim host. This assumes that their UAs offer

       such a capability (see Section 12 ("User Agent Implementation
       Advice")).  Alternatively, if such UA configuration is
       scriptable, then an attacker can cause UAs to execute his
       script and set HSTS Policies for whichever desired domains.
 o  Inadvertent use of includeSubDomains
    The includeSubDomains directive instructs UAs to automatically
    regard all subdomains of the given HSTS Host as Known HSTS Hosts.
    If any such subdomains do not support properly configured secure
    transport, then they will be rendered unreachable from such UAs.

14.6. Bootstrap MITM Vulnerability

 Bootstrap MITM (man-in-the-middle) vulnerability is a vulnerability
 that users and HSTS Hosts encounter in the situation where the user
 manually enters, or follows a link, to an unknown HSTS Host using an
 "http" URI rather than an "https" URI.  Because the UA uses an
 insecure channel in the initial attempt to interact with the
 specified server, such an initial interaction is vulnerable to
 various attacks (see Section 5.3 of [ForceHTTPS]).
 NOTE:  There are various features/facilities that UA implementations
        may employ in order to mitigate this vulnerability.  Please
        see Section 12 ("User Agent Implementation Advice").

Hodges, et al. Standards Track [Page 36] RFC 6797 HTTP Strict Transport Security (HSTS) November 2012

14.7. Network Time Attacks

 Active network attacks can subvert network time protocols (such as
 the Network Time Protocol (NTP) [RFC5905]) -- making HSTS less
 effective against clients that trust NTP or lack a real time clock.
 Network time attacks are beyond the scope of this specification.
 Note that modern operating systems use NTP by default.  See also
 Section 2.10 of [RFC4732].

14.8. Bogus Root CA Certificate Phish plus DNS Cache Poisoning Attack

 An attacker could conceivably obtain users' login credentials
 belonging to a victim HSTS-protected web application via a bogus root
 CA certificate phish plus DNS cache poisoning attack.
 For example, the attacker could first convince users of a victim web
 application (which is protected by HSTS Policy) to install the
 attacker's version of a root CA certificate purporting (falsely) to
 represent the CA of the victim web application.  This might be
 accomplished by sending the users a phishing email message with a
 link to such a certificate, which their browsers may offer to install
 if clicked on.
 Then, if the attacker can perform an attack on the users' DNS
 servers, (e.g., via cache poisoning) and turn on HSTS Policy for
 their fake web application, the affected users' browsers would access
 the attacker's web application rather than the legitimate web
 application.
 This type of attack leverages vectors that are outside of the scope
 of HSTS.  However, the feasibility of such threats can be mitigated
 by including in a web application's overall deployment approach
 appropriate employment, in addition to HSTS, of security facilities
 such as DNS Security Extensions [RFC4033], plus techniques to block
 email phishing and fake certificate injection.

14.9. Creative Manipulation of HSTS Policy Store

 Since an HSTS Host may select its own host name and subdomains
 thereof, and this information is cached in the HSTS Policy store of
 conforming UAs, it is possible for those who control one or more HSTS
 Hosts to encode information into domain names they control and cause
 such UAs to cache this information as a matter of course in the
 process of noting the HSTS Host.  This information can be retrieved
 by other hosts through cleverly constructed and loaded web resources,
 causing the UA to send queries to (variations of) the encoded domain
 names.  Such queries can reveal whether the UA had previously visited
 the original HSTS Host (and subdomains).

Hodges, et al. Standards Track [Page 37] RFC 6797 HTTP Strict Transport Security (HSTS) November 2012

 Such a technique could potentially be abused as yet another form of
 "web tracking" [WebTracking].

14.10. Internationalized Domain Names

 Internet security relies in part on the DNS and the domain names it
 hosts.  Domain names are used by users to identify and connect to
 Internet hosts and other network resources.  For example, Internet
 security is compromised if a user entering an internationalized
 domain name (IDN) is connected to different hosts based on different
 interpretations of the IDN.
 The processing models specified in this specification assume that the
 domain names they manipulate are IDNA-canonicalized, and that the
 canonicalization process correctly performed all appropriate IDNA and
 Unicode validations and character list testing per the requisite
 specifications (e.g., as noted in Section 10 ("Domain Name IDNA-
 Canonicalization")).  These steps are necessary in order to avoid
 various potentially compromising situations.
 In brief, examples of issues that could stem from lack of careful and
 consistent Unicode and IDNA validations include unexpected processing
 exceptions, truncation errors, and buffer overflows, as well as
 false-positive and/or false-negative domain name matching results.
 Any of the foregoing issues could possibly be leveraged by attackers
 in various ways.
 Additionally, IDNA2008 [RFC5890] differs from IDNA2003 [RFC3490] in
 terms of disallowed characters and character mapping conventions.
 This situation can also lead to false-positive and/or false-negative
 domain name matching results, resulting in, for example, users
 possibly communicating with unintended hosts or not being able to
 reach intended hosts.
 For details, refer to the Security Considerations sections of
 [RFC5890], [RFC5891], and [RFC3490], as well as the specifications
 they normatively reference.  Additionally, [RFC5894] provides
 detailed background and rationale for IDNA2008 in particular, as well
 as IDNA and its issues in general, and should be consulted in
 conjunction with the former specifications.

Hodges, et al. Standards Track [Page 38] RFC 6797 HTTP Strict Transport Security (HSTS) November 2012

15. IANA Considerations

 Below is the Internet Assigned Numbers Authority (IANA) Permanent
 Message Header Field registration information per [RFC3864].
   Header field name:           Strict-Transport-Security
   Applicable protocol:         http
   Status:                      standard
   Author/Change controller:    IETF
   Specification document(s):   this one

16. References

16.1. Normative References

 [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
            Requirement Levels", BCP 14, RFC 2119, March 1997.
 [RFC2616]  Fielding, R., Gettys, J., Mogul, J., Frystyk, H.,
            Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext
            Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999.
 [RFC2818]  Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000.
 [RFC3490]  Faltstrom, P., Hoffman, P., and A. Costello,
            "Internationalizing Domain Names in Applications (IDNA)",
            RFC 3490, March 2003.
 [RFC3864]  Klyne, G., Nottingham, M., and J. Mogul, "Registration
            Procedures for Message Header Fields", BCP 90, RFC 3864,
            September 2004.
 [RFC3986]  Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
            Resource Identifier (URI): Generic Syntax", STD 66,
            RFC 3986, January 2005.
 [RFC5246]  Dierks, T. and E. Rescorla, "The Transport Layer Security
            (TLS) Protocol Version 1.2", RFC 5246, August 2008.
 [RFC5890]  Klensin, J., "Internationalized Domain Names for
            Applications (IDNA): Definitions and Document Framework",
            RFC 5890, August 2010.
 [RFC5891]  Klensin, J., "Internationalized Domain Names in
            Applications (IDNA): Protocol", RFC 5891, August 2010.

Hodges, et al. Standards Track [Page 39] RFC 6797 HTTP Strict Transport Security (HSTS) November 2012

 [RFC5895]  Resnick, P. and P. Hoffman, "Mapping Characters for
            Internationalized Domain Names in Applications
            (IDNA) 2008", RFC 5895, September 2010.
 [RFC6698]  Hoffman, P. and J. Schlyter, "The DNS-Based Authentication
            of Named Entities (DANE) Transport Layer Security (TLS)
            Protocol: TLSA", RFC 6698, August 2012.
 [UTS46]    Davis, M. and M. Suignard, "Unicode IDNA Compatibility
            Processing", Unicode Technical Standard #46,
            <http://unicode.org/reports/tr46/>.
 [Unicode]  The Unicode Consortium, "The Unicode Standard",
            <http://www.unicode.org/versions/latest/>.
 [W3C.REC-html401-19991224]
            Raggett, D., Le Hors, A., and I. Jacobs, "HTML 4.01
            Specification", World Wide Web Consortium Recommendation
            REC-html401-19991224, December 1999,
            <http://www.w3.org/TR/1999/REC-html401-19991224/>.

16.2. Informative References

 [Aircrack-ng]
            d'Otreppe, T., "Aircrack-ng", Accessed: 11-Jul-2010,
            <http://www.aircrack-ng.org/>.
 [BeckTews09]
            Beck, M. and E. Tews, "Practical Attacks Against WEP and
            WPA", Second ACM Conference on Wireless Network
            Security Zurich, Switzerland, 2009,
            <http://dl.acm.org/citation.cfm?id=1514286>.
 [CWE-113]  "CWE-113: Improper Neutralization of CRLF Sequences in
            HTTP Headers ('HTTP Response Splitting')", Common Weakness
            Enumeration <http://cwe.mitre.org/>, The Mitre
            Corporation <http://www.mitre.org/>,
            <http://cwe.mitre.org/data/definitions/113.html>.
 [Firesheep]
            Various, "Firesheep", Wikipedia Online, ongoing, <https://
            secure.wikimedia.org/wikipedia/en/w/
            index.php?title=Firesheep&oldid=517474182>.

Hodges, et al. Standards Track [Page 40] RFC 6797 HTTP Strict Transport Security (HSTS) November 2012

 [ForceHTTPS]
            Jackson, C. and A. Barth, "ForceHTTPS:  Protecting High-
            Security Web Sites from Network Attacks", In Proceedings
            of the 17th International World Wide Web Conference
            (WWW2008) , 2008,
            <https://crypto.stanford.edu/forcehttps/>.
 [GoodDhamijaEtAl05]
            Good, N., Dhamija, R., Grossklags, J., Thaw, D.,
            Aronowitz, S., Mulligan, D., and J. Konstan, "Stopping
            Spyware at the Gate: A User Study of Privacy, Notice and
            Spyware", In Proceedings of Symposium On Usable Privacy
            and Security (SOUPS) Pittsburgh, PA, USA, July 2005,
            <http://www.law.berkeley.edu/files/
            Spyware_at_the_Gate.pdf>.
 [HTTP1_1-UPD]
            Fielding, R., Ed., and J. Reschke, Ed., "Hypertext
            Transfer Protocol (HTTP/1.1): Message Syntax and Routing",
            Work in Progress, October 2012.
 [JacksonBarth2008]
            Jackson, C. and A. Barth, "Beware of Finer-Grained
            Origins", Web 2.0 Security and Privacy Workshop, Oakland,
            CA, USA, 2008,
            <http://seclab.stanford.edu/websec/origins/fgo.pdf>.
 [OWASP-TLSGuide]
            Coates, M., Wichers, D., Boberski, M., and T. Reguly,
            "Transport Layer Protection Cheat Sheet",
            Accessed: 11-Jul-2010, <http://www.owasp.org/index.php/
            Transport_Layer_Protection_Cheat_Sheet>.
 [RFC1035]  Mockapetris, P., "Domain names - implementation and
            specification", STD 13, RFC 1035, November 1987.
 [RFC2560]  Myers, M., Ankney, R., Malpani, A., Galperin, S., and C.
            Adams, "X.509 Internet Public Key Infrastructure Online
            Certificate Status Protocol - OCSP", RFC 2560, June 1999.
 [RFC4033]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
            Rose, "DNS Security Introduction and Requirements",
            RFC 4033, March 2005.
 [RFC4732]  Handley, M., Rescorla, E., and IAB, "Internet Denial-of-
            Service Considerations", RFC 4732, December 2006.

Hodges, et al. Standards Track [Page 41] RFC 6797 HTTP Strict Transport Security (HSTS) November 2012

 [RFC4949]  Shirey, R., "Internet Security Glossary, Version 2",
            RFC 4949, August 2007.
 [RFC5226]  Narten, T. and H. Alvestrand, "Guidelines for Writing an
            IANA Considerations Section in RFCs", BCP 26, RFC 5226,
            May 2008.
 [RFC5280]  Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
            Housley, R., and W. Polk, "Internet X.509 Public Key
            Infrastructure Certificate and Certificate Revocation List
            (CRL) Profile", RFC 5280, May 2008.
 [RFC5894]  Klensin, J., "Internationalized Domain Names for
            Applications (IDNA): Background, Explanation, and
            Rationale", RFC 5894, August 2010.
 [RFC5905]  Mills, D., Martin, J., Burbank, J., and W. Kasch, "Network
            Time Protocol Version 4: Protocol and Algorithms
            Specification", RFC 5905, June 2010.
 [RFC6066]  Eastlake, D., "Transport Layer Security (TLS) Extensions:
            Extension Definitions", RFC 6066, January 2011.
 [RFC6101]  Freier, A., Karlton, P., and P. Kocher, "The Secure
            Sockets Layer (SSL) Protocol Version 3.0", RFC 6101,
            August 2011.
 [RFC6125]  Saint-Andre, P. and J. Hodges, "Representation and
            Verification of Domain-Based Application Service Identity
            within Internet Public Key Infrastructure Using X.509
            (PKIX) Certificates in the Context of Transport Layer
            Security (TLS)", RFC 6125, March 2011.
 [RFC6265]  Barth, A., "HTTP State Management Mechanism", RFC 6265,
            April 2011.
 [RFC6454]  Barth, A., "The Web Origin Concept", RFC 6454,
            December 2011.
 [SunshineEgelmanEtAl09]
            Sunshine, J., Egelman, S., Almuhimedi, H., Atri, N., and
            L. Cranor, "Crying Wolf: An Empirical Study of SSL Warning
            Effectiveness", In Proceedings of 18th USENIX Security
            Symposium Montreal, Canada, August 2009, <http://
            www.usenix.org/events/sec09/tech/full_papers/
            sunshine.pdf>.

Hodges, et al. Standards Track [Page 42] RFC 6797 HTTP Strict Transport Security (HSTS) November 2012

 [W3C.REC-wsc-ui-20100812]
            Roessler, T. and A. Saldhana, "Web Security Context: User
            Interface Guidelines", World Wide Web Consortium
            Recommendation REC-wsc-ui-20100812, August 2010,
            <http://www.w3.org/TR/2010/REC-wsc-ui-20100812>.
 [WebTracking]
            Schmucker, N., "Web Tracking", SNET2 Seminar Paper
            - Summer Term, 2011, <http://www.snet.tu-berlin.de/
            fileadmin/fg220/courses/SS11/snet-project/
            web-tracking_schmuecker.pdf>.

Hodges, et al. Standards Track [Page 43] RFC 6797 HTTP Strict Transport Security (HSTS) November 2012

Appendix A. Design Decision Notes

 This appendix documents various design decisions.
 1.  Cookies aren't appropriate for HSTS Policy expression, as they
     are potentially mutable (while stored in the UA); therefore, an
     HTTP header field is employed.
 2.  We chose to not attempt to specify how "mixed security context
     loads" (also known as "mixed content loads") are handled, due to
     UA implementation considerations as well as classification
     difficulties.
 3.  An HSTS Host may update UA notions of HSTS Policy via new HSTS
     header field parameter values.  We chose to have UAs honor the
     "freshest" information received from a server because there is
     the chance of a web site sending out an erroneous HSTS Policy,
     such as a multi-year max-age value, and/or an incorrect
     includeSubDomains directive.  If the HSTS Host couldn't correct
     such errors over protocol, it would require some form of
     annunciation to users and manual intervention on the users' part,
     which could be a non-trivial problem for both web application
     providers and their users.
 4.  HSTS Hosts are identified only via domain names -- explicit IP
     address identification of all forms is excluded.  This is for
     simplification and also is in recognition of various issues with
     using direct IP address identification in concert with PKI-based
     security.
 5.  The max-age approach of having the HSTS Host provide a simple
     integer number of seconds for a cached HSTS Policy time-to-live
     value, as opposed to an approach of stating an expiration time in
     the future, was chosen for various reasons.  Amongst the reasons
     are no need for clock synchronization, no need to define date and
     time value syntaxes (specification simplicity), and
     implementation simplicity.
 6.  In determining whether port mapping was to be employed, the
     option of merely refusing to dereference any URL with an explicit
     port was considered.  It was felt, though, that the possibility
     that the URI to be dereferenced is incorrect (and there is indeed
     a valid HTTPS server at that port) is worth the small cost of
     possibly wasted HTTPS fetches to HTTP servers.

Hodges, et al. Standards Track [Page 44] RFC 6797 HTTP Strict Transport Security (HSTS) November 2012

Appendix B. Differences between HSTS Policy and Same-Origin Policy

 HSTS Policy has the following primary characteristics:
    HSTS Policy stipulates requirements for the security
    characteristics of UA-to-host connection establishment, on a
    per-host basis.
    Hosts explicitly declare HSTS Policy to UAs.  Conformant UAs are
    obliged to implement hosts' declared HSTS Policies.
    HSTS Policy is conveyed over protocol from the host to the UA.
    The UA maintains a cache of Known HSTS Hosts.
    UAs apply HSTS Policy whenever making an HTTP connection to a
    Known HSTS Host, regardless of host port number; i.e., it applies
    to all ports on a Known HSTS Host.  Hosts are unable to affect
    this aspect of HSTS Policy.
    Hosts may optionally declare that their HSTS Policy applies to all
    subdomains of their host domain name.
 In contrast, the Same-Origin Policy (SOP) [RFC6454] has the following
 primary characteristics:
    An origin is the scheme, host, and port of a URI identifying a
    resource.
    A UA may dereference a URI, thus loading a representation of the
    resource the URI identifies.  UAs label resource representations
    with their origins, which are derived from their URIs.
    The SOP refers to a collection of principles, implemented within
    UAs, governing the isolation of and communication between resource
    representations within the UA, as well as resource
    representations' access to network resources.
 In summary, although both HSTS Policy and SOP are enforced by UAs,
 HSTS Policy is optionally declared by hosts and is not origin-based,
 while the SOP applies to all resource representations loaded from all
 hosts by conformant UAs.

Hodges, et al. Standards Track [Page 45] RFC 6797 HTTP Strict Transport Security (HSTS) November 2012

Appendix C. Acknowledgments

 The authors thank Devdatta Akhawe, Michael Barrett, Ben Campbell,
 Tobias Gondrom, Paul Hoffman, Murray Kucherawy, Barry Leiba, James
 Manger, Alexey Melnikov, Haevard Molland, Yoav Nir, Yngve N.
 Pettersen, Laksh Raghavan, Marsh Ray, Julian Reschke, Eric Rescorla,
 Tom Ritter, Peter Saint-Andre, Brian Smith, Robert Sparks, Maciej
 Stachowiak, Sid Stamm, Andy Steingrubl, Brandon Sterne, Martin
 Thomson, Daniel Veditz, and Jan Wrobel, as well as all the websec
 working group participants and others for their various reviews and
 helpful contributions.
 Thanks to Julian Reschke for his elegant rewriting of the effective
 request URI text, which he did when incorporating the ERU notion into
 the updates to HTTP/1.1 [HTTP1_1-UPD].  Subsequently, the ERU text in
 this spec was lifted from Julian's work in the updated HTTP/1.1
 (part 1) specification and adapted to the [RFC2616] ABNF.

Authors' Addresses

 Jeff Hodges
 PayPal
 2211 North First Street
 San Jose, California  95131
 US
 EMail: Jeff.Hodges@PayPal.com
 Collin Jackson
 Carnegie Mellon University
 EMail: collin.jackson@sv.cmu.edu
 Adam Barth
 Google, Inc.
 EMail: ietf@adambarth.com
 URI:   http://www.adambarth.com/

Hodges, et al. Standards Track [Page 46]

/data/webs/external/dokuwiki/data/pages/rfc/rfc6797.txt · Last modified: 2012/11/19 23:07 (external edit)