How does Firefox implement HSTS in detail?

StackOverflow https://stackoverflow.com/questions/14609347

Question

I was doing some research on how Firefox and Chrome are implementing HSTS (HTTP Strict Transport Security) in detail.

Turns out that they have a predefined list with some sites that already implement HSTS. This can be seen here here and/or here. And these list seems to be somehow linked to the sourcecode itself which makes somehow sense...but how do Firefox and Chrome handle my own HSTS headers? How and where do they store my URL, my max-age and whether I includeSubDomains or not? I wasn't able to find this in about:config or likewise....

So maybe somebody knows more about this issue than me, I'm just curious (: Thx!

Was it helpful?

Solution

See http://hg.mozilla.org/mozilla-central/file/20bbf73921f4/netwerk/protocol/http/nsHttpChannel.cpp#l1072 and then http://hg.mozilla.org/mozilla-central/file/20bbf73921f4/security/manager/boot/src/nsStrictTransportSecurityService.cpp#l249 which calls http://hg.mozilla.org/mozilla-central/file/20bbf73921f4/security/manager/boot/src/nsStrictTransportSecurityService.cpp#l147

So the data ends up stored in the permission manager, which is the normal place per-host information gets stored in Firefox. The permission manager stores its state in permissions.sqlite, I think.

OTHER TIPS

Sites that want HTTP Strict Transport Security (HSTS) enforced send a header in response - Strict-Transport-Security: max-age=31536000 max age being time for it to expire. It is sent on each request so that it gets updated to that much more time every time it is requested.

Browser (I have tried only Firefox) stores this data with it and will use it every time the site is accessed. This is true even for incognito mode. If you have ever accessed the site before in non incognito mode then the details of that site is saved and used even if you try to open it now in incognito mode.

For firefox this data is stored in a file called SiteSecurityServiceState.txt which is in your firefox profile folder. You can enter about:support in browser and then select "Show in folder" to open your profile folder where you can locate this file.

I am not sure about predefined sites but above is the file where normal site HSTS details are updated for firefox.

More details - Understanding HTTP Strict Transport Security (HSTS)

PS: Above link goes to my personal blog that has more details on HSTS.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top