Tag Archives: http

networking, programming

HTTP Strict Transport Security

Leave a comment

Here’s another gotchas (and novel feature) of the internet world: HSTS (Http Strict Transport Security).

Basically a website can provide a Strict-Transport-Security response header to force the browser to use HTTPS automatically for all subsequent request for a duration of time.

hsts

The response header above says for the next 31536000 seconds (1 year), the browser has to use HTTPS to access this domain, and all its subdomains.

This becomes a gotcha if you’re testing a new subdomain over HTTP by updating your local host file, you might be wondering why your browser wouldn’t let you to connect using HTTP immediately — without consulting with the web server first.

Fortunately it can be overcame by simply clearing your browser cache.

networking

About Apache Compression and Content-Length Header

1 Comment

Just resolved an interesting problem today, one of our code breaks because the response header set by the web server did not include Content-Length.

Spent quite a while investigating and turns out this is due to gzip compression. As seen below Content-Encoding is gzip and I think this causes Content-Length to be omitted.

apache-resp-headers

Gzip compression can be disabled on apache via .htaccess config. In my case I disabled all compression to swf file by adding following configuration


  SetEnv no-gzip 1