Protecting Against HSTS Abuse (via) Any web feature that can be used to persist information will eventually be used to build super-cookies. In this case it’s HSTS—a web feature that allows sites to tell browsers “in the future always load this domain over HTTPS even if the request specified HTTP”. The WebKit team caught this being exploited in the wild, by encoding a user identifier in binary across 32 separate sub domains. They have a couple of mitigations in place now—I expect other browser vendors will follow suit.
Recent articles
- How Rob Pike got spammed with an AI slop "act of kindness" - 26th December 2025
- A new way to extract detailed transcripts from Claude Code - 25th December 2025
- Cooking with Claude - 23rd December 2025