Microsoft today announced the support for HTTP Strict Transport Security (HSTS) in Internet Explorer. This is already part of Internet Explorer in the Windows 10 Technical Preview, and it will also come to Project Spartan in a later update.
HSTS specification defines a mechanism enabling web sites to declare themselves accessible only via secure connections and/or for users to be able to direct their user agent(s) to interact with given sites only over secure connections. This overall policy is referred to as HTTP Strict Transport Security (HSTS). The policy is declared by web sites via the Strict-Transport-Security HTTP response header field and/or by other means, such as user agent configuration, for example.
This feature protects against variants of man-in-the-middle attacks that can strip TLS out of communications with a server, leaving the user vulnerable.
HSTS provides two methods for sites to secure their connections:
- Registering for a preload list: websites can register to be hardcoded by IE and other browsers to redirect HTTP traffic to HTTPS. Communications with these websites from the initial connection are automatically upgraded to be secure. Like other browsers which have implemented this feature, Internet Explorer’s preload list is based on the Chromium HSTS preload list.
- Serving a HSTS header: Sites not on the preload list can enable HSTS via the Strict-Transport-Security HTTP header. After an initial HTTPS connection from the client containing the HSTS header, any subsequent HTTP connections are redirected by the browser to be secured via HTTPS.
Read more about it here.