What is HTTP Strict Transport Security?

HTTP Strict Transport Security (HSTS) is a protocol standard that ensures that browsers always connect to a website over HTTPS. HSTS header removes the need for the insecure practice of redirecting users from http:// to https:// URLs.

HTTP Strict Transport Security

HSTS is configured and transmitted from the server to any HTTP web client using the HTTP header, Strict-Transport-Security. It also specifies a time interval during which the browser should only communicate over HTTPS.

Note: When a Strict-Transport-Security header is sent over an insecure HTTP connection, the web browser ignores it because the connection is insecure.

What does HSTS do?

When a domain has enabled HSTS, the browser does the following two things:

  • It always uses an https:// connection, even when clicking on an http://.

  • It disables the users from clicking through warnings about invalid certificates.

Syntax

The policy tells a browser to enable HSTS for that domain or subdomain for a given time interval. The following commands can be used to enable HSTS:

Strict-Transport-Security: max-age=<expire-time>
Strict-Transport-Security: max-age=<expire-time>; includeSubDomains
Strict-Transport-Security: max-age=<expire-time>; preload
  • <expire-time> mentions the time interval the server should use an HTTPS connection.

  • includeSubDomains directs the browser to apply the rule to all pages and sub-domains of the site.

  • preload is necessary for inclusion in most major web browsers' HSTS preload lists.

Example

Let us consider the following example of implementing HTTP Strict Transport Security:

Strict-Transport-Security: max-age=3600; includeSubDomains

All pages and sub-domains would be HTTPS for one hour long. This blocks access to pages or sub-domains that cannot be served over HTTPS.

How secure is HSTS

HSTS helps prevent different cyber attacks, which include the following:

  • MITMMan-In-The-Middle attacks

  • Session hijacking Cookie hijacking / sidejacking

  • Downgrade attacks

However, some limitations still exist if the preload is unavailable. For instance, the first request to a website is still vulnerable if HTTP is used, even with a redirect request to HTTPS.

The HSTS header cannot prevent the use of fraudulent domains that trick users into visiting them. Attackers can achieve this through another type of MITM, DNS spoofing, or by using domain names matching a website's domain name.

Question

What is the max-age for the subdomains to be HTTPS for the following statement?

Strict-Transport-Security: max-age=31536000; includeSubDomains
Show Answer

Copyright ©2024 Educative, Inc. All rights reserved