Microsoft today announced support for HTTP Strict Transport Security (HSTS) in Internet Explorer. This change can be previewed using Internet Explorer in the Windows 10 Technical Preview, and will come to Microsoft's new browser - Project Spartan - in a later update.

The HSTS policy protects against variants of man-in-the-middle attacks that can strip TLS out of communications with a server, leaving the user vulnerable. For example, a user may initially connect to a non-encrypted version of a website before being redirected to a secure connection. An attacker exploiting the non-encrypted connection could redirect the user to a malicious site. HSTS mitigates this attack vector by allowing sites to specify that the browser should always use a secure connection to the server.

With HSTS, websites can register to be hardcoded by IE and other browsers to redirect HTTP traffic to HTTPS. Communications with these websites from the initial connection are automatically upgraded to be secure. Like other browsers which have implemented this feature, Internet Explorer's preload list is based on the Chromium HSTS preload list.

Sites not on the preload list can enable HSTS via the Strict-Transport-Security HTTP header. After an initial HTTPS connection from the client containing the HSTS header, any subsequent HTTP connections are redirected by the browser to be secured via HTTPS.

There are two important changes that impact users on sites using HSTS. First, when there is a certification error with a HSTS server, the user will not be able to click through and ignore the certificate error; they must abort their connection. Second, mixed content is not supported on servers supporting HSTS; all the content must be secure.