HSTS Supercookie Demonstration
How security features can be weaponized for tracking
HSTS (HTTP Strict Transport Security) is a security feature that protects you from downgrade attacks. However, it can be abused to create "supercookies" that persist even after you clear your browser data.
How HSTS Supercookies Work
Binary Encoding
A unique identifier is converted to binary (e.g., "42" โ "101010"). Each bit represents one subdomain.
HSTS Flag Setting
For each "1" bit, the tracker loads a subdomain over HTTPS with HSTS. For "0" bits, it uses HTTP without HSTS.
Reading the Cookie
On future visits, the tracker requests each subdomain via HTTP. If HSTS redirects to HTTPS, that bit is "1". Otherwise, it's "0".
Persistence
HSTS policies are stored separately from cookies and browsing history. They survive clearing cookies, private browsing, and browser restarts.
Why This Is Concerning
๐ต๏ธ Invisible Tracking
Unlike cookies, HSTS supercookies leave no visible trace. Users have no way to know they're being tracked.
๐งน Resistant to Clearing
"Clear browsing data" doesn't remove HSTS entries. The tracking ID persists indefinitely.
๐ญ Bypasses Private Mode
Some browsers share HSTS state with incognito mode, defeating privacy protections.
๐ Cross-Site Tracking
The same HSTS supercookie can be read across different websites, enabling comprehensive tracking.