{ "id": "a2150e43-1b0d-4045-8185-3831c3688f18", "created_at": "2026-04-06T00:21:47.293825Z", "updated_at": "2026-04-10T03:36:48.442384Z", "deleted_at": null, "sha1_hash": "0eaeb5a9f482057aae98d450caf40352eca5c571", "title": "HTTP Strict Transport Security", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 42374, "plain_text": "HTTP Strict Transport Security\r\nArchived: 2026-04-05 15:55:35 UTC\r\nHTTP Strict Transport Security allows a site to request that it always be contacted over HTTPS. HSTS is\r\nsupported in Google Chrome, Firefox, Safari, Opera, Edge and IE (caniuse.com has a compatibility matrix).\r\nThe issue that HSTS addresses is that users tend to type http:// at best, and omit the scheme entirely most of\r\nthe time. In the latter case, browsers will insert http:// for them.\r\nHowever, HTTP is insecure. An attacker can grab that connection, manipulate it and only the most eagle eyed\r\nusers might notice that it redirected to https://www.bank0famerica.com or some such. From then on, the user is\r\nunder the control of the attacker, who can intercept passwords, etc at will.\r\nAn HSTS enabled server can include the following header in an HTTPS reply:\r\nStrict-Transport-Security: max-age=16070400; includeSubDomains\r\nWhen the browser sees this, it will remember, for the given number of seconds, that the current domain should\r\nonly be contacted over HTTPS. In the future, if the user types http:// or omits the scheme, HTTPS is the\r\ndefault. In fact, all requests for URLs in the current domain will be redirected to HTTPS. (So you have to make\r\nsure that you can serve them all!).\r\nFor more details, see the specification.\r\nPreloaded HSTS sites\r\nThere is still a window where a user who has a fresh install, or who wipes out their local state, is vulnerable.\r\nBecause of that, Chrome maintains an \"HSTS Preload List\" (and other browsers maintain lists based on the\r\nChrome list). These domains will be configured with HSTS out of the box.\r\nIf you own a site that you would like to see included in the preloaded HSTS list you can submit it at\r\nhttps://hstspreload.org.\r\nExamining the HSTS list within the browser\r\nYou can see the current HSTS Rules -- both dynamic (set by a response header) and static (preloaded) using a tool\r\non the about://net-internals#hsts page.\r\nCheck the source for the full list.\r\n(To see the version of the list in a particular version of Chrome, visit this URL with __branch_commit__ replaced\r\nby the hash of the relevant build from here.)\r\nhttps://www.chromium.org/hsts/\r\nPage 1 of 2\n\nSource: https://www.chromium.org/hsts/\r\nhttps://www.chromium.org/hsts/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://www.chromium.org/hsts/" ], "report_names": [ "hsts" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434907, "ts_updated_at": 1775792208, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0eaeb5a9f482057aae98d450caf40352eca5c571.pdf", "text": "https://archive.orkl.eu/0eaeb5a9f482057aae98d450caf40352eca5c571.txt", "img": "https://archive.orkl.eu/0eaeb5a9f482057aae98d450caf40352eca5c571.jpg" } }