gnh1201 / caterpillar

Caterpillar Proxy - The simple web debugging proxy (formerly, php-httpproxy)
https://catswords.social/@catswords_oss
MIT License
19 stars 9 forks source link

Bypassing HSTS policy on the web browser #8

Open gnh1201 opened 9 months ago

gnh1201 commented 9 months ago

HSTS only applies to software that fulfills all the specifications as a web browser. Therefore, in communications where there is no web browser involved, typical SSL MITM poses no issue.

However, if you intend to use a web browser, HSTS policies can cause inconvenience. Thus, here are some alternatives:

These alternatives are based on the assumption that we won't alter the web browser's settings. Disabling the HSTS feature by adjusting the browser settings can resolve the issue more easily than expected.

  1. Removing HSTS-related headers.
  2. Proxying with an actual web browser.

I'll add more ideas if they come up in the future.