Man-in-the-middle attacks

What it is

An attacker positions themselves between the user and your server (open Wi-Fi, malicious router, BGP hijack) and reads or modifies traffic.

How attackers exploit it

If you serve any page over HTTP, the attacker injects scripts. Without HSTS, the first HTTPS visit can be downgraded.

How to protect against it

• HTTPS everywhere. Redirect HTTP → HTTPS at the edge.
• Add `Strict-Transport-Security: max-age=63072000; includeSubDomains; preload` and submit to the HSTS preload list.
• Use TLS 1.2+ and disable old ciphers.
• Pin CAA records to your certificate issuer.

• HSTS preload list
• Mozilla SSL Configuration Generator