Checking domains HSTS status

If either of the static_upgrade_mode: or the dynamic_upgrade_mode: lines are set to STRICT then HSTS is enabled.

Dynamic

Dynamic means that the browser has been instructed to enable HSTS by an HTTP response header (served over TLS) similar to the following:

Strict-Transport-Security: max-age=157680000; includeSubDomains;

This is vulnerable to an attack whereby the very first time the browser requests the domain with http:// (not https://) an adversary intercepts the communication.

Static

In order to overcome this weakness we have the static mode which allows for hard-coding HSTS records directly into the browser's source. The header is changed to indicate the administrator's intention:

Strict-Transport-Security: max-age=157680000; includeSubDomains; preload

Note the inclusion of preload at the end. The domain is then submitted for review. If approved then it is added to the Chromium list which is also included in the Firefox, Safari, and IE 11+Edge lists.


When you are querying to chrome://net-internals/#hsts then it queries only the stored HSTS sites that you have visited using chrome. The part static_ and dynamic_ shows the methods to enable STS for the communication.

The result shows there is no static methods defined only dynamic methods are there. pop and sts in the result stand for public-key-pinning and strict transport security repectively. So dynamic_pkp_observed and dynamic_sts_obeserved is the time for STS which is enabled for the doamin. The STS is allowed on that domain but not for subdomains.

It would be better to use "curl" for checking the sts.
For example:
curl -siL "owasp.org" | grep "Strict" (-L to redirect to https)

If the domain is configured to use STS then in the server response you will see the header Strict-Transport-Security: max-age =value
That is why I'm gripping for Strict.

Tags:

Hsts

Chrome