HTTP Strict Transport Security
Understand HTTP Strict Transport Security to ensure your web application enforces HTTPS connections and prevents man-in-the-middle attacks. Learn to configure the Strict-Transport-Security header and implement HSTS using Helmet middleware in Node.js.
HTTP Strict Transport Security, also known as HSTS, is a protocol standard which enforces secure connections to the server via HTTP over SSL/TLS. HSTS is configured and transmitted from the server to any HTTP web client using the HTTP header Strict-Transport-Security. This specifies a time interval during which the browser should only communicate over an HTTP secured connection (HTTPS).
Tip
When a Strict-Transport-Security header is sent over an insecure HTTP connection, the web browser ignores it because the connection is insecure.
After the header has been set, the browser consults a preload service, like Google’s, to determine whether the website has opted in for HSTS.
The risk
The risk that may arise when communicating over a secure HTTPS connection is that a malicious user can perform a Man-In-The-Middle (MITM) attack. This type of attack downgrades future requests to the webserver to use an HTTP connection. Once an HTTP connection is established, the attacker is able to see and read all the data that flows through.
Interesting Fact: The original HSTS draft was published in 2011 by Jeff Hodges from PayPal, Collin Jackson from Carnegie Mellon University, and Adam Barth from Google.
A website that uses HTTPS can still create insecure HTTP requests, however. End users would not suspect anything to be amiss, but they may still be exposed to MITM attacks.
In the ...