Tag Archives: security

HSTS Preload and Subdomains

In order to be eligible for the HSTS Preload list, your site must usually serve a Strict-Transport-Security header with an includeSubdomains directive. Unfortunately, some sites do not follow the best practices recommended and instead just set a one-year preload header with includeSubdomains and then immediately request addition to the HSTS Preload list. The result is thatContinue reading “HSTS Preload and Subdomains”

Non-Secure Clicktrackers–The Fastest Path from A+ to F

HTTPS only works if you use it. Coinbase is an online bitcoin exchange backed by $106M in venture capital investment. They’ve got a strong HTTPS security posture, including the latest ciphers, a 4096bit RSA key, and advanced features like browser-preloaded HSTS and HPKP. SSLLabs grades Coinbase’s HTTPS deployment an A+: This is a well-secured siteContinue reading “Non-Secure Clicktrackers–The Fastest Path from A+ to F”

Bolstering HTTPS Security

Last Update: 26 October 2023 When #MovingToHTTPS, the first step is to obtain the necessary certificates for your domains and enable HTTPS on your webserver. After your site is fully HTTPS, there are some other configuration changes you should consider to further enhance the site’s security. Validate Basic Configuration First, use SSLLab’s Server Test  toContinue reading “Bolstering HTTPS Security”

Silliness – Fiddler Blocks Malware

Enough malware researchers now depend upon Fiddler that some bad guys won’t even try to infect your system if you have Fiddler installed. The Malware Bytes blog post has the details, but the gist of it is that the attackers use JavaScript to probe the would-be victim’s PC for a variety of software. Beyond Kaspersky,Continue reading “Silliness – Fiddler Blocks Malware”