The basic problem that HSTS solves is that even after a website turns on HTTPS, visitors may still end up trying to connect over plain HTTP. For example:
When a user types “goyun.info” into the URL bar, browsers default to using http://.
A user may click on an old link that mistakenly uses an http:// URL.
A user’s network may be hostile and actively rewrite https:// links to http://.
Websites that prefer HTTPS will generally still listen for connections over HTTP in order to redirect the user to the HTTPS URL. For example:
$ curl --head http://www.facebook.com
HTTP/1.1 301 Moved Permanently Location: https://www.facebook.com/
This redirect is insecure and is an opportunity for an attacker to capture information about the visitor (such as cookies from a previous secure session), or to maliciously redirect the user to a phishing site.
This can be addressed by returning a Strict-Transport-Security header whenever the user connects securely. For example:
$ curl --head https://www.facebook.com
HTTP/1.1 200 OK Strict-Transport-Security: max-age=15552000; preload
This enables HSTS for www.facebook.com. While HSTS is in effect, clicking any links to http://www.facebook.com will cause the browser to issue a request directly for https://www.facebook.com.
In the above example, the browser will remember the HSTS policy for 180 days. The policy is refreshed every time browser sees the header again, so if a user visits https://www.facebook.com at least once every 180 days, they’ll be indefinitely protected by HSTS.
Since it’s just an HTTP header, HSTS is very easy to add to a domain.
However, to enable HSTS for a domain via the HTTP header, the browser does have to see the header at least once. This means that users are not protected until after their first successful secure connection to a given domain.
To solve the “first visit” problem, the Chrome security team created an “HSTS preload list”: a list of domains baked into Chrome that get Strict Transport Security enabled automatically, even for the first visit. Firefox, Safari, and newer versions of Internet Explorer also incorporate Chrome’s HSTS preload list.
While you can’t hardcode the entire internet into a big list, the HSTS preload list is a simple, effective mechanism for locking down HTTPS for the near future. As the web transitions fully to HTTPS over the long-term, and browsers can start phasing out plain HTTP and defaulting to HTTPS, the HSTS preload list (and HSTS itself) may eventually become unnecessary.
HSTS as a forcing function
Strict Transport Security provides meaningful security benefits to visitors, especially visitors on hostile networks.
However, it’s also highly valuable as an organizational forcing function and compliance mechanism.
When a domain owner follows the recommendations in this article and sets an HSTS policy on its base domain with includeSubDomains and preload, the domain owner is saying “Every part of our web infrastructure is HTTPS, and always will be.” — and is giving browsers permission to vigorously enforce that from then onwards.
It’s a clear and auditable commitment, and gives anyone overseeing an organization’s transition to HTTPS a way of marking domains as “done”.
On Apache, you would apply a Header directive to always set the HSTS header, like so:
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
On Microsoft systems running IIS (Internet Information Services), there are no “.htaccess” files to implement custom headers. IIS applications use a central “web.config” file for configuration. For IIS 7.0 and up, the code is as follows:
The .mysql_history file is internally used by the command line editiing utility program, called libedit. The file is not intended to be directly viewed, or edited etc.
The content of the file is encoded by wctomb. To view the content:
shell> cat ~/.mysql_history | python2.7 -c "import sys; print(''.join([l.decode('unicode-escape') for l in sys.stdin]))"
If your system has python 3.x installed, the command must be changed like below:
shell> cat ~/.mysql_history | python -c "import sys; print(*[l.decode('unicode-escape') for l in sys.stdin.buffer])"
MyCli History and Search MyCli keeps track of the queries entered in the repl. Up/Down arrow can be used to navigate the history.
Pressing <C-r> will enable incremental history search. So press <C-r> and then start typing your search term to see the queries narrowed down. You can cycle through the matches by pressing <C-r> again.
The history file ~/.mycli-history contains all the sq…