I want to check a domain's HSTS (HTTP Strict Transport Security) status, can I use this page - chrome://net-internals/#hsts for the same?
The Google Chrome browser offers a quick way to check a domain's HSTS (HTTP Strict Transport Security) status via the page chrome://net-internals/#hsts, What do the lines shown in the query result mean? Is the HSTS mode enabled or not? What is the difference between the dynamic_ and static_ entries of the result?
When you are querying to chrome://net-internals/#hsts then queries only the stored HSTS sites that you have visited using chrome. The part static_ and dynamic_ shows the methods to enable STS for the communication.
The result shows there are no static methods defined, only dynamic methods are there. pop and sts in the result stand for public-key-pinning and strict transport security respectively. So dynamic_pkp_observed and dynamic_sts_obeserved is the time for STS which is enabled for the domain. The STS is allowed on that domain but not for subdomains.
It would be better to use "curl" for checking the sts.
For example:
curl -siL "owasp.org" | grep "Strict" (-L to redirect to https)
If the domain is configured to use STS then in the server response you will see the header Strict-Transport-Security: max-age =value
That is why I'm gripping for Strict.
The result shows there are no static methods defined, only dynamic methods are there. pop and sts in the result stand for public-key-pinning and strict transport security respectively. So dynamic_pkp_observed and dynamic_sts_obeserved is the time for STS which is enabled for the domain. The STS is allowed on that domain but not for subdomains.
It would be better to use "curl" for checking the sts.
For example:
curl -siL "owasp.org" | grep "Strict" (-L to redirect to https)
If the domain is configured to use STS then in the server response you will see the header Strict-Transport-Security: max-age =value
That is why I'm gripping for Strict.