Web security: HSTS

Improve the security of your website with the HSTS policy, preventing data traffic by insecure means.

Introduction

HTTP Strict Transport Security or HSTS (RFC 6797), is a security policy designed to prevent visitors to our web site from being able to access insecurely through the HTTP protocol.

When the web server makes use of this policy, all visitors attempting to access via the HTTP protocol will be redirected to the HTTPS version. Hence the name strict.

Enable HSTS

This directive is enabled on the server by adding an HTTP header to the response. When a visitor accesses the website for the first time through the HTTPS protocol, the browser will remember this header for a time defined by the server.

HTTP -> HTTPS

If the visitor has never accessed via HTTPS and always accesses via HTTP, this header would still be useless since its operation starts on the first visit via the HTTPS protocol. Be sure to redirect HTTP requests to the HTTPS version to make use of the header so that browsers will remember the directive on future accesses.

The header in question is Strict-Transport-Security and accepts three parameters: max-age, includeSubDomains and preload, the first one being mandatory.

HSTS header examples
Strict-Transport-Security: max-age=31536000
Strict-Transport-Security: max-age=31536000; includeSubDomains
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

The max-age parameter indicates (in seconds) the amount of time the browser should remember this feature. To achieve a grade of A+ in the security test offered by Qualys SSL Labs, the max-age value must be at least 6 months.

The optional includeSubDomains parameter makes this policy also affect all subdomains (recommended).

Finally, the optional preload parameter validates a preload request. This parameter is needed when we add our domain to the HSTS preload lists, which we will see below.

Disable HSTS

To disable this policy just modify the value of max-age to max-age=0. The header must be present for a while so that visitors can receive this new value and proceed to forget this security policy.

Preload

Google created some time ago a HSTS preload list where the administrator of a website can include their domain. This list is distributed within the Google Chrome browser. Other browsers such as Firefox, Opera, Safari, IE11 and Edge also have their preload lists based on this project, so including a domain in Google's project will be enough to preload the domain in all other supported browsers.

To add a domain to the HSTS preload list follow the instructions on the website hstspreload.org.

Don't look back

Remember that once you have included your domain in the preload lists it will be a bit more complicated to go back on the decision and your domain will only be accessible via HTTPS.

Since the web browser will know in advance the status of a domain's HSTS directive, and since it will be impossible to connect via HTTP because of this, the requirement that a user will need to connect for the first time via the HTTPS protocol to receive the header is removed, since the browser does not really need to query the header anymore.

Although these clarifications may seem like a restriction, enabling the HSTS header and preloading this directive is a plus point that will add protection to the data flow.

You can support me so that I can dedicate even more time to writing articles and have resources to create new projects. Thank you!