<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Hsts on Commentary of Takao</title><link>https://takao.blog/ko/tags/hsts/</link><description>Recent content in Hsts on Commentary of Takao</description><generator>Hugo -- gohugo.io</generator><language>ko</language><copyright>Commentary of Takao</copyright><lastBuildDate>Sun, 12 Jul 2026 04:12:51 +0900</lastBuildDate><atom:link href="https://takao.blog/ko/tags/hsts/index.xml" rel="self" type="application/rss+xml"/><item><title>Enforcing HTTPS Connections Securely using HSTS policies</title><link>https://takao.blog/ko/web/web-security-http-strict-transport-hsts-hacks/</link><pubDate>Fri, 16 Jan 2026 00:00:00 +0900</pubDate><guid>https://takao.blog/ko/web/web-security-http-strict-transport-hsts-hacks/</guid><description>&lt;img src="https://takao.blog/img/thumbnail/web-security-http-strict-transport-hsts-hacks-ko.png" alt="Featured image of post Enforcing HTTPS Connections Securely using HSTS policies" /&gt;&lt;h2 id="the-first-request-problem"&gt;The First-Request Problem
&lt;/h2&gt;&lt;p&gt;HTTPS encrypts traffic after the 연결 is established, but the initial request to an HTTP URL is still sent in cleartext. An attacker on the same 네트워크 can intercept that first request, perform an &lt;strong&gt;SSL stripping&lt;/strong&gt; attack, and downgrade the user to HTTP for the entire session.&lt;/p&gt;
&lt;p&gt;HTTP Strict Transport Security (HSTS) closes this window. Once a browser receives an HSTS header, it &lt;strong&gt;automatically upgrades all future HTTP requests&lt;/strong&gt; to HTTPS and refuses to connect if the certificate is invalid.&lt;/p&gt;</description></item></channel></rss>