Q1: Which header enables HSTS policy in browsers
Multiple Choice
**Explanation:**
**Correct (B):** The policy is communicated via Strict-Transport-Security over HTTPS
References (URLs)
Goal: know directives, the first visit limitation, and safe rollout strategy.
Q2: Which are common HSTS directives (select all)
Multi-Select
**Explanation:**
**Correct (A,B,C):** max-age is required, includeSubDomains and preload are commonly used
**Options:**
- D (incorrect): Not a directive
Q3: A limitation of HSTS is that it cannot fully protect
Multiple Choice
**Explanation:**
**Terms:** trust on first use
**Correct (C):** If the first request is HTTP, an active attacker can interfere before the policy is learned
**Related:** Preload lists help mitigate the first visit problem for eligible domains
Q4: What is the unit of max-age in HSTS
Multiple Choice
**Explanation:**
**Correct (A):** max-age is an integer number of seconds
Q5: What directive applies the policy to all subdomains (one token)
Short Text
**Explanation:**
**Correct:** includeSubDomains
**Related:** Use with care, because it affects the entire subtree
Q6: A safe rollout strategy for HSTS often starts with
Multiple Choice
**Explanation:**
**Terms:** lock in risk
**Correct (B):** A mistake can lock users out, so staged rollout is safer
**Options:**
- A (incorrect): High risk if any subdomain is not ready
- B (correct): Start small, then increase
- C (incorrect): The header must be delivered over a secure connection to be meaningful