Home >> Web Security >> What is HSTS HTTP Strict Transport Security?

1. What is HTTP Strict Transport Security?

HTTP Strict Transport Security (often abbreviated as HSTS) is a security feature that lets a web server tell browsers that it should only be communicated with using HTTPS, instead of using HTTP, the security enhancement that is specified by a web application through the use of a special response header. Once a supported browser receives this header that browser will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS. It also prevents HTTPS click through prompts on browsers.

The specification has been released and published end of 2012 as RFC 6797 (HTTP Strict Transport Security (HSTS)) by the IETF

2. How does HSTS works/ HSTS mechanism?

A server implements an HSTS policy by supplying a header over an HTTPS connection (HSTS headers over HTTP are ignored). For example, a server could send a header such that future requests to the domain for the next year (max-age is specified in seconds; 31,536,000 is equal to one non-leap year) use only HTTPS: The response header will look similar to this: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload.

  • max-age defines the time in seconds for which the web server should only deliver through HTTPS.
  • includeSubDomains is optimal. This will apply HSTS to all the site’s subdomains as well.
  • preload is also optional. The site owner can submit their website to the preload listwhich is a list of sites hardcoded into Chrome as being HTTPS only.

When a web applicationissues HSTS Policy to user agents, conformant user agents behave as follows:

  • Automatically turn any insecure links referencing the web application into secure links. (For instance, http://example.com/some/page/ will be modified to https://example.com/some/page/ beforeaccessing the server.)
  • If the security of the connection cannot be ensured (e.g. the server’s TLScertificate is not trusted), show an error message and do not allow the user to access the web application.

The HSTS Policy helps protect web application users against some passive (eavesdropping) and active network attacks. A man-in-the-middle attacker has a greatly reduced ability to intercept requests and responses between a user and a web application server while the user’s browser has HSTS Policy in effect for that web application.

HTTP Strict Transport Security mechanism

3. Threats it Protects Against

Failing to connect to a secure HTTPS connection can be quite detrimental in some cases such as when accessing your online banking. According to owasp.org, the following 3 points are common threats that HSTS is able to protect against.

  1. Attackers using an invalid certificate in the hopes the user will accept the bad cert.
  2. Old bookmarks that contain http:// or manually entered http:// urls that can be vulnerable to an attack
  3. Sites claiming to be fully HTTPS serving HTTP content

Due to HSTS’s strict rules, the above threats will no longer be relevant as it doesn’t allow the use of insecure HTTP.

4. Enabling HTTP Strict Transport Security on Your Server

Adding HSTS to your server is easy and can be done in just a couple of steps. See below for instructions on enabling it on Apache and Nginx.

4.1. Apache

In order to enable HSTS on your Apache server, you must edit your configuration file and add the following to Virtual Host.

4.2. Nginx

To enable HSTS on Nginx, add the following to the server block

In order to check if the HSTS header is being delivered as a response header from your origin server, you can run a

5. Browser Support

All major up-to-date browsers currently support the use of HSTS with the exception of Opera Mini and versions previous of IE 11. So if you’re planning on using HTTP Strict Transport Security on your origin server it’s fairly safe to say most of your users’ browsers will support it.

HTTP Strict Transport Security browser support

6. Conclusion

In summary, HTTP Strict Transport Security is powerful and useful feature to implement for keeping your website visitors safe. Although insecure HTTP content can be delivered for a multitude of reasons, HSTS helps eliminate that risk, leaving attackers unable to intercept communication.

 

 

 

the author

One Comment

  1. […] you know HTTP Strict Transport Security (HSTS), simply ensures that a browser does not use HTTP for communicating with website set this […]

Leave a Reply

Your email address will not be published. Required fields are marked *

Top