HTTP Strict Transport Security (HSTS)

Security | Friday, 25 March 2016

HTTP Strict Transport Security (often abbreviated as HSTS) is a security feature that lets a web site tell browsers that it should only be communicated with using HTTPS, instead of using HTTP. If a web site accepts a connection through HTTP and redirects to HTTPS, the user in this case may initially talk to the non-encrypted version of the site before being redirected. The HTTP Strict Transport Security feature lets a web site inform the browser that it should never load the site using HTTP, and should automatically convert all attempts to access the site using HTTP to HTTPS requests instead. This enables web applications to specify the use of a special response header. Once a supported browser receives this header that browser will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS. It also prevents HTTPS click through prompts on browsers.

HSTS addresses the following threats:

  • 1) User bookmarks or manually types http:// in the address bar instead of https:// and is subject to a man-in-the-middle attacker ;
  • 2) Web application that is intended to be purely HTTPS inadvertently contains HTTP links or serves content over HTTP ;
  • 3) A man-in-the-middle attacker attempts to intercept traffic from a victim user using an invalid certificate and hopes the user will accept the bad certificate. HSTS does not allow a user to override the invalid certificate message, displaying a message like: "This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox only connect to it securely. As a result, it is not possible to add an exception for this certificate."

The recommended configuration is:

  • Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
    • includeSubDomains All present and future subdomains will be HTTPS;
    • preload Indicates that the site owner's consent to have their domain preloaded in HSTS preload list. HSTS preload list is a list of sites that are hardcoded into Chrome as being HTTPS only. Firefox, Safari, IE 11 and Edge also have HSTS preload lists which include the Chrome list.

Infologica offers web applications security testing helping our customers to implement proper measures to mitigate Internet threats.