Loading investigation...
Loading investigation...
How security features can be weaponized for tracking
HSTS (HTTP Strict Transport Security) is a security feature that protects you from downgrade attacks. However, it can be abused to create "supercookies" that persist even after you clear your browser data.
A unique identifier is converted to binary (e.g., "42" → "101010"). Each bit represents one subdomain.
For each "1" bit, the tracker loads a subdomain over HTTPS with HSTS. For "0" bits, it uses HTTP without HSTS.
On future visits, the tracker requests each subdomain via HTTP. If HSTS redirects to HTTPS, that bit is "1". Otherwise, it's "0".
HSTS policies are stored separately from cookies and browsing history. They survive clearing cookies, private browsing, and browser restarts.
Unlike cookies, HSTS supercookies leave no visible trace. Users have no way to know they're being tracked.
"Clear browsing data" doesn't remove HSTS entries. The tracking ID persists indefinitely.
Some browsers share HSTS state with incognito mode, defeating privacy protections.
The same HSTS supercookie can be read across different websites, enabling comprehensive tracking.