Exam SY0-601 topic 1 question 144 discussion

When enabled on the server, HTTP Strict Transport Security (HSTS), part of HTTP Security header, enforces the use of encrypted HTTPS connections instead of plain-text HTTP communication.

I would agree with A on this one S/MIME - relates to email SRTP - relates to VOIP

The original recommendation of A. HTTP security header (specifically HTTP Strict Transport Security or HSTS) is the most common and effective method for enforcing encrypted communications for web applications. HSTS is specifically designed to ensure that web browsers use secure HTTPS connections for all interactions with a web application, thereby enforcing encryption. If the goal is to secure a web application and enforce encryption for all communications, HSTS is the appropriate solution. SRTP, on the other hand, is typically associated with securing real-time communication protocols like VoIP and is not designed for securing web applications.

To allow only encrypted communications for a web application without relying on network devices, a security analyst can implement HTTP security headers. These headers are added to the web application's HTTP response and provide instructions to the client's web browser on how to interact with the web application securely. One specific HTTP security header that can be implemented for this purpose is the "Strict-Transport-Security" (HSTS) header. When the web server sends the HSTS header to the client's browser, it instructs the browser to only access the web application over HTTPS (encrypted HTTP) for a specified period. This helps prevent any insecure connections and ensures that all communication between the client and the web application is encrypted.

HTTP security headers are a set of HTTP response headers that a web server can use to enhance the security of a web application. One of the security headers is the HTTP Strict Transport Security (HSTS) header, which allows a website to specify that it should only be accessed over a secure, encrypted connection (HTTPS). By implementing the HSTS header, the web application can enforce encrypted communications and prevent insecure connections. This additional layer of protection helps ensure that communications between the client and the server are encrypted, without relying solely on network devices for security.

HTTP security headers can be used to enforce secure communication between a web application and the client's web browser, ensuring that only encrypted traffic is allowed. Therefore, the correct answer is A. HTTP security header. DNSSEC implementation is used to secure the DNS infrastructure and does not provide additional protection for a web application. SRTP is used to secure real-time communication such as VoIP, and S/MIME is used to encrypt email messages.

The questions asks to deploy an additional layer of protection for a WEB APPLICATION (emphasis added); this points to HTTP with security header. The question also uses the term ENCRYPTED COMMUNICATIONS (emphases added),which might point to SRTP IF the nature of the communicaiton involves voice, video &/or mulitmedia. Because the question does not include voice/video/multimedia verbiage and because the question more explictily includes a (browser based) web applicaiton, HTTP with security header is a better fit.

initially i went with A but after asking Bing Chat this is what she said: The solution that can be implemented to allow only encrypted communications without relying on network devices is SRTP1. SRTP stands for Secure Real-time Transport Protocol and is used to provide confidentiality, message authentication, and replay protection to RTP (Real-time Transport Protocol) traffic1.

The correct answer is C. SRTP (Secure Real-time Transport Protocol) is a cryptographic protocol designed to provide secure communication for voice and video traffic over the Internet, typically used in VoIP (Voice over IP) applications. By implementing SRTP, the web application can ensure that all communications are encrypted end-to-end, without relying on network devices to enforce security. HTTP security headers can enhance the security of web applications, but they do not provide end-to-end encryption. DNSSEC (Domain Name System Security Extensions) is a protocol that provides integrity and authentication to DNS data, but it does not provide encryption for web application communications. S/MIME (Secure/Multipurpose Internet Mail Extensions) is a protocol used for securing email communications, but it is not typically used for web application security.

The solution that can be implemented to allow only encrypted communications without relying on network devices for a web application is option C, SRTP (Secure Real-Time Transport Protocol). SRTP is a security extension of the RTP (Real-Time Transport Protocol) used for multimedia communications, such as voice and video. It provides confidentiality, integrity, and replay protection for the RTP traffic. This will ensure that the web application only uses encrypted communications, even if the network devices are not enforcing encryption.

C. SRTP (Secure Real-time Transport Protocol) can be implemented to allow only encrypted communications without relying on network devices. SRTP is a protocol designed to provide encryption, message authentication, and integrity for real-time multimedia communication, such as voice and video over IP networks. By implementing SRTP, the web application can ensure that all communications are encrypted, even if they traverse untrusted networks or devices. HTTP security headers, DNSSEC implementation, and S/MIME are all useful security measures, but they do not directly address the goal of allowing only encrypted communications without relying on network devices. HTTP security headers are used to improve web application security by providing additional protections against various types of attacks, such as XSS and CSRF. DNSSEC is used to ensure the authenticity and integrity of DNS information, preventing DNS spoofing attacks. S/MIME is used to provide encryption and digital signatures for email communications.

SRTP IS The solution that can be implemented to allow only encrypted communications without relying on network devices . HTTP security header, is used to enhance the security of web applications, but it doesn't provide end-to-end encryption.

A. HTTP security header - An HTTP security header can be added to the web application to enforce the use of encryption for all communication. This header can specify the use of Transport Layer Security (TLS) or Secure Sockets Layer (SSL) protocols to ensure that all data transmitted between the web server and client is encrypted. The header can also configure various security-related options such as disabling caching, preventing cross-site scripting (XSS) attacks, and mitigating cross-site request forgery (CSRF) attacks. HTTP security headers include: Strict-Transport-Security (HSTS) X-XSS-Protection X-Content-Type-Options X-Frame-Options Content-Security-Policy Note: HTTP security headers are not a replacement for encryption but rather a way to enforce encryption.

i thought HTTP isn't secure