{"id":3251,"date":"2013-02-21T16:50:57","date_gmt":"2013-02-21T15:50:57","guid":{"rendered":"http:\/\/www.solucominsight.fr\/?p=3251"},"modified":"2019-12-31T11:44:39","modified_gmt":"2019-12-31T10:44:39","slug":"http-strict-transport-policy-une-avancee-dans-la-securisation-des-echanges-sur-internet","status":"publish","type":"post","link":"https:\/\/www.riskinsight-wavestone.com\/en\/2013\/02\/http-strict-transport-policy-une-avancee-dans-la-securisation-des-echanges-sur-internet\/","title":{"rendered":"HTTP Strict Transport Policy, une avanc\u00e9e dans la s\u00e9curisation des \u00e9changes sur Internet ?"},"content":{"rendered":"<p><em>En internaute averti, vous avez pris l\u2019habitude de vous connecter en HTTPS aux sites sensibles, et de v\u00e9rifier la pr\u00e9sence du petit cadenas \u00e0 c\u00f4t\u00e9 de la barre d\u2019adresse, mais cela est-il vraiment suffisant\u00a0? Certaines impl\u00e9mentations imparfaites de HTTPS peuvent exposer les donn\u00e9es \u00e9chang\u00e9es, c\u2019est pourquoi un m\u00e9canisme de s\u00e9curit\u00e9 suppl\u00e9mentaire a \u00e9t\u00e9 normalis\u00e9 en fin d\u2019ann\u00e9e derni\u00e8re, <a href=\"http:\/\/tools.ietf.org\/html\/rfc6797\">HTTP Strict Transport Security<\/a>.<\/em><\/p>\n<h2>Pourquoi a-t-on besoin de HSTS ?<\/h2>\n<p>Malheureusement, l\u2019utilisation de HTTPS n\u2019est souvent pas exclusive, ouvrant la voie \u00e0 trois types de menaces :<\/p>\n<ul>\n<li><strong>Attaques r\u00e9seau passives sur des flux non-chiffr\u00e9s<\/strong><\/li>\n<\/ul>\n<p>Il arrive fr\u00e9quemment que seule une partie des requ\u00eates au serveur web soient chiffr\u00e9es, par exemple l\u2019authentification. Une fois authentifi\u00e9, les requ\u00eates suivantes sont en clair. Un attaquant capable d\u2019intercepter les flux r\u00e9seau (sur un Wifi ouvert, au <em>Starbucks<\/em>, par exemple), pourra alors analyser les requ\u00eates non-chiffr\u00e9es, qui contiennent les cookies de session de l\u2019utilisateur. Il pourra ainsi usurper son identit\u00e9.<\/p>\n<ul>\n<li><strong>Attaques r\u00e9seau actives pour d\u00e9tourner le trafic et l\u2019intercepter<\/strong><\/li>\n<\/ul>\n<p>Il n\u2019est pas rare de rencontrer des sites proposant une connexion s\u00e9curis\u00e9e mais \u00e9galement une connexion HTTP traditionnelle. Il est alors possible, pour un attaquant capable d\u2019intercepter les flux r\u00e9seau, de modifier \u00e0 la vol\u00e9e les donn\u00e9es envoy\u00e9es par le site et de remplacer les liens \u00ab\u00a0<strong><em>https:\/\/<\/em><\/strong><em>www.site.com<\/em>\u00a0\u00bb par des liens vers la version en clair \u00ab\u00a0<strong><em>http:\/\/<\/em><\/strong><em>www.site.com<\/em>\u00a0\u00bb. Des outils permettent d\u2019automatiser cette t\u00e2che, comme <a href=\"http:\/\/www.thoughtcrime.org\/software\/sslstrip\">sslstrip<\/a> : \u00e0 nouveau l\u2019attaquant pourra intercepter les cookies et usurper l\u2019identit\u00e9 de la victime. L\u2019attaquant pourrait aussi bien tenter de faire accepter \u00e0 l\u2019utilisateur un certificat invalide, afin de pouvoir d\u00e9chiffrer les \u00e9changes SSL \u00e0 la vol\u00e9e.<\/p>\n<ul>\n<li><strong>Erreurs de d\u00e9veloppement<\/strong><\/li>\n<\/ul>\n<p>Il est \u00e9galement possible que, volontairement ou non, certaines requ\u00eates soient effectu\u00e9es en clair, par exemple pour charger des images ou un contenu vid\u00e9o. Si les images sont h\u00e9berg\u00e9es sur le m\u00eame serveur, les cookies seront envoy\u00e9s avec la requ\u00eate et l\u00e0 encore, l\u2019attaquant pourra d\u00e9rober les cookies et usurper l\u2019identit\u00e9 de la victime.<\/p>\n<h2>La solution propos\u00e9e par HSTS\u00a0: forcer l\u2019utilisation de HTTPS<\/h2>\n<p>HSTS se propose de parer \u00e0 ce type d\u2019attaques en permettant aux sites web d\u2019indiquer au navigateur qu\u2019il ne doit accepter d\u2019ouvrir que des liens HTTPS vers ce site.<\/p>\n<p>Pour cela, un en-t\u00eate HTTP sp\u00e9cifique doit \u00eatre envoy\u00e9 au navigateur, qui n\u2019acceptera alors que des liens https:\/\/ pour le site en question, et ce pour un temps donn\u00e9.<\/p>\n<p>De plus, si une erreur de validation de certificat survenait, le navigateur refuserait d\u2019ouvrir la page en question ; en cas d\u2019utilisation de HSTS, l\u2019utilisateur n\u2019a plus la possibilit\u00e9 de passer outre un message d\u2019erreur de validation du certificat : voil\u00e0 une avanc\u00e9e judicieuse ! HSTS permet donc un premier niveau de protection contre les attaques de type Man-in-the-middle (homme du milieu).<\/p>\n<h2>Impl\u00e9menter HSTS en ajoutant les bons en-t\u00eates<\/h2>\n<p>La syntaxe de l\u2019en-t\u00eate HTTP est la suivante :<\/p>\n<pre><span style=\"background-color: #c0c0c0; color: #000000;\">Strict-Transport-Security: max-age=XXX; includeSubDomains<\/span><\/pre>\n<p>&nbsp;<\/p>\n<p>O\u00f9 :<\/p>\n<ul>\n<li>Strict-Transport-Security : indique l\u2019utilisation de HSTS<\/li>\n<li>max-age= : d\u00e9finit la p\u00e9riode durant laquelle le navigateur doit forcer l\u2019utilisation de HTTPS, en secondes<\/li>\n<li>includeSubdomains : permet d\u2019indiquer que la politique s\u2019applique \u00e9galement \u00e0 l\u2019ensemble des sous-domaines\u00a0; cette directive est optionnelle<\/li>\n<\/ul>\n<p>Dans le cas d\u2019un serveur web Apache, il convient d\u2019ins\u00e9rer les commandes suivantes dans la configuration du site\u00a0:<\/p>\n<pre><span style=\"color: #000000; background-color: #c0c0c0;\">Header set Strict-Transport-Security \"max-age=XXX\"<\/span><\/pre>\n<pre><span style=\"color: #000000; background-color: #c0c0c0;\">Header append Strict-Transport-Security includeSubDomains<\/span><\/pre>\n<p>&nbsp;<\/p>\n<p>Il est \u00e9galement conseill\u00e9 de param\u00e9trer la directive \u00ab\u00a0max-age\u00a0\u00bb de mani\u00e8re dynamique, de fa\u00e7on \u00e0 la faire co\u00efncider avec la date d\u2019expiration du certificat<\/p>\n<p>HSTS recommande \u00e9galement l\u2019utilisation d\u2019une liste pr\u00e9d\u00e9finie de domaine HSTS par les navigateurs (comme Gmail, Facebook, etc \u2026). Ainsi, on couvre le risque de la premi\u00e8re connexion non-chiffr\u00e9e.<\/p>\n<p>Il est important de noter que les en-t\u00eates HSTS ne sont pris en compte par les navigateurs que si le certificat pr\u00e9sent\u00e9 par le site est sign\u00e9 par une autorit\u00e9 de certification racine pr\u00e9sente dans le magasin de certificats, excluant de fait le cas des certificats auto-sign\u00e9s.<\/p>\n<h2>Tous les navigateurs sont-ils compatibles HSTS\u00a0?<\/h2>\n<p>Les m\u00e9canismes HSTS sont support\u00e9s depuis plusieurs ann\u00e9es par Chrome, Firefox et Op\u00e9ra, qui int\u00e8grent d\u00e9sormais une liste par d\u00e9faut de sites HSTS.<\/p>\n<p>En revanche, les navigateurs Internet Explorer de Microsoft et Safari d\u2019Apple sont \u00e0 la tra\u00eene et n\u2019impl\u00e9mentent pas encore ces protections.<\/p>\n<p>HSTS apporte donc une avanc\u00e9e significative dans la s\u00e9curisation des \u00e9changes sur Internet, et ce de mani\u00e8re transparente pour le grand public. En imposant la s\u00e9curit\u00e9 (en ne leur proposant pas d\u2019accepter un certificat invalide), on se pr\u00e9munit d\u2019un maillon faible, l\u2019utilisateur, qui peut permettre la r\u00e9alisation d\u2019attaques de type man-in-the-middle comme ce fut r\u00e9cemment le cas pour le site Github en Chine.<\/p>\n<p>Cependant, d\u2019autres menaces subsistent\u00a0: on pense notamment aux fr\u00e9quentes faiblesses dans le choix des protocoles et algorithmes de chiffrement. De plus, la probl\u00e9matique des autorit\u00e9s de certification, qui sont garantes des identit\u00e9s sur internet, reste ouverte, comme le rappellent les cas de Diginotar ou plus r\u00e9cemment de <a href=\"https:\/\/blog.mozilla.org\/security\/2013\/01\/03\/revoking-trust-in-two-turktrust-certficates\/\">Turktrust<\/a>.<\/p>\n<p>La s\u00e9curisation des \u00e9changes sur internet reste une probl\u00e9matique qui requiert de l\u2019expertise dans son impl\u00e9mentation, ainsi que des contr\u00f4les r\u00e9guliers pour assurer la confidentialit\u00e9 et l\u2019int\u00e9grit\u00e9 des donn\u00e9es \u00e9chang\u00e9es vis-\u00e0-vis des nouvelles menaces.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>En internaute averti, vous avez pris l\u2019habitude de vous connecter en HTTPS aux sites sensibles, et de v\u00e9rifier la pr\u00e9sence du petit cadenas \u00e0 c\u00f4t\u00e9 de la barre d\u2019adresse, mais cela est-il vraiment suffisant\u00a0? Certaines impl\u00e9mentations imparfaites de HTTPS peuvent&#8230;<\/p>\n","protected":false},"author":20,"featured_media":3151,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"page-templates\/tmpl-one.php","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[3223,36],"tags":[1241,183,958,959,67,3302],"coauthors":[780],"class_list":["post-3251","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cloud-next-gen-it-security","category-cybersecurity-digital-trust","tag-cyberattaque","tag-cybercriminalite","tag-http","tag-https","tag-internet","tag-security-architecture"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.0 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>HTTP Strict Transport Policy, une avanc\u00e9e dans la s\u00e9curisation des \u00e9changes sur Internet ? - SolucomINSIGHT<\/title>\n<meta name=\"description\" content=\"Une avanc\u00e9e dans la s\u00e9curisation des \u00e9changes sur Internet ? En internaute averti, vous avez pris l\u2019habitude de vous connecter en HTTPS aux sites sensibles, et de v\u00e9rifier la pr\u00e9sence du petit cadenas \u00e0 c\u00f4t\u00e9 de la barre d\u2019adresse, mais cela est-il vraiment suffisant ? Certaines impl\u00e9mentations imparfaites de HTTPS peuvent exposer les donn\u00e9es \u00e9chang\u00e9es, c\u2019est pourquoi un m\u00e9canisme de s\u00e9curit\u00e9 suppl\u00e9mentaire a \u00e9t\u00e9 normalis\u00e9 en fin d\u2019ann\u00e9e derni\u00e8re, HTTP Strict Transport Security.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.riskinsight-wavestone.com\/2013\/02\/http-strict-transport-policy-une-avancee-dans-la-securisation-des-echanges-sur-internet\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"HTTP Strict Transport Policy, une avanc\u00e9e dans la s\u00e9curisation des \u00e9changes sur Internet ? - SolucomINSIGHT\" \/>\n<meta property=\"og:description\" content=\"Une avanc\u00e9e dans la s\u00e9curisation des \u00e9changes sur Internet ? En internaute averti, vous avez pris l\u2019habitude de vous connecter en HTTPS aux sites sensibles, et de v\u00e9rifier la pr\u00e9sence du petit cadenas \u00e0 c\u00f4t\u00e9 de la barre d\u2019adresse, mais cela est-il vraiment suffisant ? Certaines impl\u00e9mentations imparfaites de HTTPS peuvent exposer les donn\u00e9es \u00e9chang\u00e9es, c\u2019est pourquoi un m\u00e9canisme de s\u00e9curit\u00e9 suppl\u00e9mentaire a \u00e9t\u00e9 normalis\u00e9 en fin d\u2019ann\u00e9e derni\u00e8re, HTTP Strict Transport Security.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.riskinsight-wavestone.com\/2013\/02\/http-strict-transport-policy-une-avancee-dans-la-securisation-des-echanges-sur-internet\/\" \/>\n<meta property=\"og:site_name\" content=\"RiskInsight\" \/>\n<meta property=\"article:published_time\" content=\"2013-02-21T15:50:57+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2019-12-31T10:44:39+00:00\" \/>\n<meta name=\"author\" content=\"Arnaud Soulli\u00e9\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Arnaud Soulli\u00e9\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/2013\/02\/http-strict-transport-policy-une-avancee-dans-la-securisation-des-echanges-sur-internet\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/2013\/02\/http-strict-transport-policy-une-avancee-dans-la-securisation-des-echanges-sur-internet\/\"},\"author\":{\"name\":\"Arnaud Soulli\u00e9\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/person\/8ba5826fcf8223b1c6c350c1d1fffc79\"},\"headline\":\"HTTP Strict Transport Policy, une avanc\u00e9e dans la s\u00e9curisation des \u00e9changes sur Internet ?\",\"datePublished\":\"2013-02-21T15:50:57+00:00\",\"dateModified\":\"2019-12-31T10:44:39+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/2013\/02\/http-strict-transport-policy-une-avancee-dans-la-securisation-des-echanges-sur-internet\/\"},\"wordCount\":962,\"publisher\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/2013\/02\/http-strict-transport-policy-une-avancee-dans-la-securisation-des-echanges-sur-internet\/#primaryimage\"},\"thumbnailUrl\":\"\",\"keywords\":[\"Cyberattaque\",\"Cybercriminalit\u00e9\",\"http\",\"https\",\"internet\",\"security architecture\"],\"articleSection\":[\"Cloud &amp; Next-Gen IT Security\",\"Cybersecurity &amp; Digital Trust\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/2013\/02\/http-strict-transport-policy-une-avancee-dans-la-securisation-des-echanges-sur-internet\/\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/2013\/02\/http-strict-transport-policy-une-avancee-dans-la-securisation-des-echanges-sur-internet\/\",\"name\":\"HTTP Strict Transport Policy, une avanc\u00e9e dans la s\u00e9curisation des \u00e9changes sur Internet ? - SolucomINSIGHT\",\"isPartOf\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/2013\/02\/http-strict-transport-policy-une-avancee-dans-la-securisation-des-echanges-sur-internet\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/2013\/02\/http-strict-transport-policy-une-avancee-dans-la-securisation-des-echanges-sur-internet\/#primaryimage\"},\"thumbnailUrl\":\"\",\"datePublished\":\"2013-02-21T15:50:57+00:00\",\"dateModified\":\"2019-12-31T10:44:39+00:00\",\"description\":\"Une avanc\u00e9e dans la s\u00e9curisation des \u00e9changes sur Internet ? En internaute averti, vous avez pris l\u2019habitude de vous connecter en HTTPS aux sites sensibles, et de v\u00e9rifier la pr\u00e9sence du petit cadenas \u00e0 c\u00f4t\u00e9 de la barre d\u2019adresse, mais cela est-il vraiment suffisant ? Certaines impl\u00e9mentations imparfaites de HTTPS peuvent exposer les donn\u00e9es \u00e9chang\u00e9es, c\u2019est pourquoi un m\u00e9canisme de s\u00e9curit\u00e9 suppl\u00e9mentaire a \u00e9t\u00e9 normalis\u00e9 en fin d\u2019ann\u00e9e derni\u00e8re, HTTP Strict Transport Security.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/2013\/02\/http-strict-transport-policy-une-avancee-dans-la-securisation-des-echanges-sur-internet\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.riskinsight-wavestone.com\/2013\/02\/http-strict-transport-policy-une-avancee-dans-la-securisation-des-echanges-sur-internet\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/2013\/02\/http-strict-transport-policy-une-avancee-dans-la-securisation-des-echanges-sur-internet\/#primaryimage\",\"url\":\"\",\"contentUrl\":\"\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/2013\/02\/http-strict-transport-policy-une-avancee-dans-la-securisation-des-echanges-sur-internet\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\/\/www.riskinsight-wavestone.com\/en\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"HTTP Strict Transport Policy, une avanc\u00e9e dans la s\u00e9curisation des \u00e9changes sur Internet ?\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#website\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/en\/\",\"name\":\"RiskInsight\",\"description\":\"The cybersecurity &amp; digital trust blog by Wavestone&#039;s consultants\",\"publisher\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.riskinsight-wavestone.com\/en\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#organization\",\"name\":\"Wavestone\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/en\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/08\/Monogramme\u2013W\u2013NEGA-RGB-50x50-1.png\",\"contentUrl\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/08\/Monogramme\u2013W\u2013NEGA-RGB-50x50-1.png\",\"width\":50,\"height\":50,\"caption\":\"Wavestone\"},\"image\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/person\/8ba5826fcf8223b1c6c350c1d1fffc79\",\"name\":\"Arnaud Soulli\u00e9\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/en\/author\/arnaud-soullie\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"HTTP Strict Transport Policy, une avanc\u00e9e dans la s\u00e9curisation des \u00e9changes sur Internet ? - SolucomINSIGHT","description":"Une avanc\u00e9e dans la s\u00e9curisation des \u00e9changes sur Internet ? En internaute averti, vous avez pris l\u2019habitude de vous connecter en HTTPS aux sites sensibles, et de v\u00e9rifier la pr\u00e9sence du petit cadenas \u00e0 c\u00f4t\u00e9 de la barre d\u2019adresse, mais cela est-il vraiment suffisant ? Certaines impl\u00e9mentations imparfaites de HTTPS peuvent exposer les donn\u00e9es \u00e9chang\u00e9es, c\u2019est pourquoi un m\u00e9canisme de s\u00e9curit\u00e9 suppl\u00e9mentaire a \u00e9t\u00e9 normalis\u00e9 en fin d\u2019ann\u00e9e derni\u00e8re, HTTP Strict Transport Security.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.riskinsight-wavestone.com\/2013\/02\/http-strict-transport-policy-une-avancee-dans-la-securisation-des-echanges-sur-internet\/","og_locale":"en_US","og_type":"article","og_title":"HTTP Strict Transport Policy, une avanc\u00e9e dans la s\u00e9curisation des \u00e9changes sur Internet ? - SolucomINSIGHT","og_description":"Une avanc\u00e9e dans la s\u00e9curisation des \u00e9changes sur Internet ? En internaute averti, vous avez pris l\u2019habitude de vous connecter en HTTPS aux sites sensibles, et de v\u00e9rifier la pr\u00e9sence du petit cadenas \u00e0 c\u00f4t\u00e9 de la barre d\u2019adresse, mais cela est-il vraiment suffisant ? Certaines impl\u00e9mentations imparfaites de HTTPS peuvent exposer les donn\u00e9es \u00e9chang\u00e9es, c\u2019est pourquoi un m\u00e9canisme de s\u00e9curit\u00e9 suppl\u00e9mentaire a \u00e9t\u00e9 normalis\u00e9 en fin d\u2019ann\u00e9e derni\u00e8re, HTTP Strict Transport Security.","og_url":"https:\/\/www.riskinsight-wavestone.com\/2013\/02\/http-strict-transport-policy-une-avancee-dans-la-securisation-des-echanges-sur-internet\/","og_site_name":"RiskInsight","article_published_time":"2013-02-21T15:50:57+00:00","article_modified_time":"2019-12-31T10:44:39+00:00","author":"Arnaud Soulli\u00e9","twitter_misc":{"Written by":"Arnaud Soulli\u00e9","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.riskinsight-wavestone.com\/2013\/02\/http-strict-transport-policy-une-avancee-dans-la-securisation-des-echanges-sur-internet\/#article","isPartOf":{"@id":"https:\/\/www.riskinsight-wavestone.com\/2013\/02\/http-strict-transport-policy-une-avancee-dans-la-securisation-des-echanges-sur-internet\/"},"author":{"name":"Arnaud Soulli\u00e9","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/person\/8ba5826fcf8223b1c6c350c1d1fffc79"},"headline":"HTTP Strict Transport Policy, une avanc\u00e9e dans la s\u00e9curisation des \u00e9changes sur Internet ?","datePublished":"2013-02-21T15:50:57+00:00","dateModified":"2019-12-31T10:44:39+00:00","mainEntityOfPage":{"@id":"https:\/\/www.riskinsight-wavestone.com\/2013\/02\/http-strict-transport-policy-une-avancee-dans-la-securisation-des-echanges-sur-internet\/"},"wordCount":962,"publisher":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#organization"},"image":{"@id":"https:\/\/www.riskinsight-wavestone.com\/2013\/02\/http-strict-transport-policy-une-avancee-dans-la-securisation-des-echanges-sur-internet\/#primaryimage"},"thumbnailUrl":"","keywords":["Cyberattaque","Cybercriminalit\u00e9","http","https","internet","security architecture"],"articleSection":["Cloud &amp; Next-Gen IT Security","Cybersecurity &amp; Digital Trust"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.riskinsight-wavestone.com\/2013\/02\/http-strict-transport-policy-une-avancee-dans-la-securisation-des-echanges-sur-internet\/","url":"https:\/\/www.riskinsight-wavestone.com\/2013\/02\/http-strict-transport-policy-une-avancee-dans-la-securisation-des-echanges-sur-internet\/","name":"HTTP Strict Transport Policy, une avanc\u00e9e dans la s\u00e9curisation des \u00e9changes sur Internet ? - SolucomINSIGHT","isPartOf":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.riskinsight-wavestone.com\/2013\/02\/http-strict-transport-policy-une-avancee-dans-la-securisation-des-echanges-sur-internet\/#primaryimage"},"image":{"@id":"https:\/\/www.riskinsight-wavestone.com\/2013\/02\/http-strict-transport-policy-une-avancee-dans-la-securisation-des-echanges-sur-internet\/#primaryimage"},"thumbnailUrl":"","datePublished":"2013-02-21T15:50:57+00:00","dateModified":"2019-12-31T10:44:39+00:00","description":"Une avanc\u00e9e dans la s\u00e9curisation des \u00e9changes sur Internet ? En internaute averti, vous avez pris l\u2019habitude de vous connecter en HTTPS aux sites sensibles, et de v\u00e9rifier la pr\u00e9sence du petit cadenas \u00e0 c\u00f4t\u00e9 de la barre d\u2019adresse, mais cela est-il vraiment suffisant ? Certaines impl\u00e9mentations imparfaites de HTTPS peuvent exposer les donn\u00e9es \u00e9chang\u00e9es, c\u2019est pourquoi un m\u00e9canisme de s\u00e9curit\u00e9 suppl\u00e9mentaire a \u00e9t\u00e9 normalis\u00e9 en fin d\u2019ann\u00e9e derni\u00e8re, HTTP Strict Transport Security.","breadcrumb":{"@id":"https:\/\/www.riskinsight-wavestone.com\/2013\/02\/http-strict-transport-policy-une-avancee-dans-la-securisation-des-echanges-sur-internet\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.riskinsight-wavestone.com\/2013\/02\/http-strict-transport-policy-une-avancee-dans-la-securisation-des-echanges-sur-internet\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.riskinsight-wavestone.com\/2013\/02\/http-strict-transport-policy-une-avancee-dans-la-securisation-des-echanges-sur-internet\/#primaryimage","url":"","contentUrl":""},{"@type":"BreadcrumbList","@id":"https:\/\/www.riskinsight-wavestone.com\/2013\/02\/http-strict-transport-policy-une-avancee-dans-la-securisation-des-echanges-sur-internet\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.riskinsight-wavestone.com\/en\/"},{"@type":"ListItem","position":2,"name":"HTTP Strict Transport Policy, une avanc\u00e9e dans la s\u00e9curisation des \u00e9changes sur Internet ?"}]},{"@type":"WebSite","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#website","url":"https:\/\/www.riskinsight-wavestone.com\/en\/","name":"RiskInsight","description":"The cybersecurity &amp; digital trust blog by Wavestone&#039;s consultants","publisher":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.riskinsight-wavestone.com\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#organization","name":"Wavestone","url":"https:\/\/www.riskinsight-wavestone.com\/en\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/logo\/image\/","url":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/08\/Monogramme\u2013W\u2013NEGA-RGB-50x50-1.png","contentUrl":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/08\/Monogramme\u2013W\u2013NEGA-RGB-50x50-1.png","width":50,"height":50,"caption":"Wavestone"},"image":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/person\/8ba5826fcf8223b1c6c350c1d1fffc79","name":"Arnaud Soulli\u00e9","url":"https:\/\/www.riskinsight-wavestone.com\/en\/author\/arnaud-soullie\/"}]}},"_links":{"self":[{"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/posts\/3251","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/users\/20"}],"replies":[{"embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/comments?post=3251"}],"version-history":[{"count":16,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/posts\/3251\/revisions"}],"predecessor-version":[{"id":3266,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/posts\/3251\/revisions\/3266"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/"}],"wp:attachment":[{"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/media?parent=3251"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/categories?post=3251"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/tags?post=3251"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/coauthors?post=3251"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}