up vote 1 down vote favorite

The application I'm working on is accessible only via IP address, so HTTPS connection is provided via a custom-signed certificate.

I explained to my client that (from MDN docs)

[...] when your site is accessed over HTTPS with no certificate errors, the browser knows your site is HTTPS capable and will honor the Strict-Transport-Security header.

it therefore does not work with self-sigend certificate, but he wants it anyway because of (quoting) "security reasons".

Does the HSTS header have any usefulness in case of self-signed certificates?

share|improve this question
up vote 1 down vote

HSTS will not work with typical self-signed certificates, i.e. where the issuer is the certificate itself. But it will work with certificates issued by any CA provided that this CA is added as trusted to the browser. This means also that some private CA can be used to create the certificate in question as long as this private CA is added as trusted to the browsers.

share|improve this answer
  • Just as an interesting anecdote, I was using a certificate signed for local host and a root CA trusted on my laptop at one point, to test HSTS. This back-fired big time later, as the HSTS restriction is not possible to override in Chrome the way an untrusted certificate is. HSTS is an amazing security feature, but should probably be used with caution if you're not very familiar with certificate management in general since there's no way around it for the user. – nbering 56 secs ago

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.