Photo by Sai Kiran Anagani on Unsplash

In the previous article, we discussed about HSTS protocol and its benefits. We strongly recommend you read it before you proceed.

Now that you understand and appreciate the usefulness of HSTS, in this post we will talk about the implementation of HSTS protocol in your websites and your APIs.

To refresh our memory, the definition of HSTS is as follows:

HTTP Strict Transport Security (HSTS) is a policy mechanism that helps to protect websites against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking.

As per the rfc documentation of HSTS, the syntax of the header is

Strict-Transport-Security: max-age=<expire-time>

Photo by FLY:D on Unsplash

Using an HTTPS protocol is considered to be the best practice to secure communication over a network. But is this really effective? Turns out the answer is NO!

Why is HTTPS alone ineffective?

HTTPS protocol was originally created to serve the following purposes:

  • The bidirectional encryption of communications
  • Protect against man-in-the-middle attacks
  • Prevent eavesdropping and tampering of the communication

Unfortunately, the protocol was sound but a man-in-the-middle attack was possible by SSL stripping. In SSL stripping, an attacker forces the browser to connect to a website using HTTP to modify and intercept the communication.

As you must have guessed, the problem doesn’t lie with the…

Within the infosec and SecOps community, NVD is a well-known entity, but we realised outside of it, there are few who are aware of its existence.
So what is it exactly?

NVD stands for National Vulnerability Database. It is one of the largest collection of vulnerabilities that have been reported by software vendors or security researchers all over the world. Thousands of IT-Security teams and enterprises use this data source for vulnerability management, security and compliance of their tech stack.

NVD was originally conceptualised in 2000 in the U.S with the objective of creating an access database of attack scripts…

SecOps Solution

Identifying top 1% Vulnerabilities in enterprise tech stack

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store