SSL stripping is an attack that downgrades a secure HTTPS connection to plain, unencrypted HTTP without the user noticing. It lets an attacker read or change data that should have been protected by encryption.
The attacker sits between the user and the website, intercepting the first request before the secure connection is set up. The attacker forwards user traffic to the real site over HTTPS, but sends the user a plain HTTP version of the page. Since most people do not check the address bar for a padlock icon, they keep browsing without realizing the data is now exposed. The attacker can then read passwords, cookies, and other data in plain text.
Match the strength of this control to what is actually at risk in the workflow.
USER-country-de-session-task01The credential string is the only configuration needed -- "country-de" sets the exit, "session-task01" keeps it consistent, and ssl stripping is handled by the gateway rather than your application code.
Test the setup with a leak-test tool or packet capture to confirm this protection is actually working, not just configured.
Pair this with sane session handling and header hygiene -- no single control covers a full workflow on its own.
Apply the strongest version of this control to logins, payments, and personal data -- it is overkill for public information.
Do not let two workflows that need to stay separate for privacy or account reasons share the same session or IP.
An attacker on a shared network strips SSL from a banking site login page, capturing the username and password as the victim types them.
This attack shows why users should always confirm a secure padlock and HTTPS before entering sensitive data. Proxies and browsers that enforce HTTPS connections help close this gap.
Yes, HSTS tells the browser to only connect over HTTPS, which blocks most SSL stripping attempts once the site is on the preload list. Without HSTS, the first connection can still be downgraded.
A proxy changes your IP address but does not replace the need for HTTPS. Always confirm the connection is encrypted no matter which proxy type you use.
Ready to put this into practice? Security Documentation
Start a free trial and test with real targets -- no credit card, no sales call.