HTTP Strict Transport Security (HSTS) is a protocol standard that ensures that browsers always connect to a website over HTTPS. HSTS header removes the need for the insecure practice of redirecting users from http://
to https://
URLs.
HSTS is configured and transmitted from the server to any HTTP web client using the HTTP header, Strict-Transport-Security. It also specifies a time interval during which the browser should only communicate over HTTPS.
Note: When a Strict-Transport-Security header is sent over an insecure HTTP connection, the web browser ignores it because the connection is insecure.
When a domain has enabled HSTS, the browser does the following two things:
It always uses an https://
connection, even when clicking on an http://
.
It disables the users from clicking through warnings about invalid certificates.
The policy tells a browser to enable HSTS for that domain or subdomain for a given time interval. The following commands can be used to enable HSTS:
Strict-Transport-Security: max-age=<expire-time>Strict-Transport-Security: max-age=<expire-time>; includeSubDomainsStrict-Transport-Security: max-age=<expire-time>; preload
<expire-time>
mentions the time interval the server should use an HTTPS connection.
includeSubDomains
directs the browser to apply the rule to all pages and sub-domains of the site.
preload
is necessary for inclusion in most major web browsers' HSTS preload lists.
Let us consider the following example of implementing HTTP Strict Transport Security:
Strict-Transport-Security: max-age=3600; includeSubDomains
All pages and sub-domains would be HTTPS for one hour long. This blocks access to pages or sub-domains that cannot be served over HTTPS.
HSTS helps prevent different cyber attacks, which include the following:
Downgrade attacks
However, some limitations still exist if the preload
is unavailable. For instance, the first request to a website is still vulnerable if HTTP is used, even with a redirect request to HTTPS.
The HSTS header cannot prevent the use of fraudulent domains that trick users into visiting them. Attackers can achieve this through another type of MITM, DNS spoofing, or by using domain names matching a website's domain name.
What is the max-age for the subdomains to be HTTPS for the following statement?
Strict-Transport-Security: max-age=31536000; includeSubDomains