HTTP Strict Transport Security (HSTS)

To boost site security, HTTP Strict Transport Security (HSTS) compels websites to adopt HTTPS as a standard. As the internet develops more intricate attacks have increased in sophistication requiring enhanced security strategies. An important weakness in web applications is the lack of encrypted HTTP connections that allow MITM attacks and protocol downgrade.

Accessing a website through an insecure HTTP link puts users at risk of risks including session capture and unauthorized cookie retrieval. Utilizing HSTS measures can safeguard encouraging data against malicious entities.

HSTS serves to optimize performance by cutting down the necessity for HTTP to HTTPS redirection that quickens and streamlines user experience. By adopting HSTS website owners and developers are taking a step forward to secure their platforms and gain user confidence.

These are the following topics that we are going to discuss:

Syntax

An HTTP response header passes the HSTS policy from the server to the browser. All future requests to the website must use HTTPS according to the browser's orders for a specified time frame defined by the max-age directive. The full syntax of the HSTS header is as follows (lua):

Strict-Transport-Security: max-age=<expire-time>; includeSubDomains; preload

• max-age: The HSTS policy will last in the browser for this specified number of seconds according to this directive. Letting max-age equal 31536000 guarantees that the duration will last for a year. Should this period end the browser ceases to require HTTPS unless it receives another HSTS header.
• includeSubDomains (optional): With this directive applied the HSTS policy protects all subdomains alongside the main domain. Without this directive in place the HSTS rule will cover only the main domain. Adding this option WORKS toward maintaining the safety of subdomains with HTTPS.
• preload (optional): This directive reflects the mind-set of the website to join the browser preload lists. After a site loads for the first time in browsers like Chrome and Safari HTTPS will activate for all users regardless of prior experience. To enter the preload list websites are required to conform to particular criteria and add their domain to a shared list managed by browser companies.

All HTTPS responses need to carry the HSTS header to maintain an up-to-date HSTS policy duration. This guarantees that after an initial visit the browser will implement HTTPS for the designated duration of max-age.

Preloading Strict Transport Security

Preloading HSTS is a good way to guarantee that the first request to your website ever, it’s via HTTPS. For example, with regular HSTS a browser will only start enforcing HTTPS after it has received the HSTS header from the server. That means that the first connection could take place over a non secure HTTP channel which, for all intents and purposes, is still open for exploitation. But with HSTS preloading you can skip this problem.

Submitting your domain to the HSTS preload list that vendors maintain of your domain. Now that your domain is on this list, browsers will automatically make all our connections over HTTPS right from the very beginning. It provides an extra layer of security by taking away the chance of an initial HTTP connection that certain cyber attacks would seek.

To enable preloading, your HSTS header must include the following:

• max-age must be at least 1 year (1 year or more, even in seconds 31536000).
• It is necessary that includeSubDomains be specified.
• The preload directive is required.

Once these conditions are met, you can submit your domain to the preload list at https://hstspreload.org./

Example of HSTS Header for Preloading (lua):

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

How Does the Browser Handle It?

When a browser visits a site with an HSTS policy, the following sequence occurs:

• Initial Request: For that, if the user visits the site on HTTP, the server should issue a 301 redirect to HTTPS and include the HSTS header. From now on, the browser will respect and use only HTTPS when dealing with the site.
• Future Requests (Confidentially Advise): For the time frame defined by max-age, the browser will always convert all HTTP requests for the domain to HTTPS automatically. If a user manually types "http://example.com/%E2%80%9D, a browser will automatically rewrite the URL to “https://example.com/%E2%80%9D and then send the request to the server.
• Invalid SSL Certificates: If the site’s SSL certificate is invalid or expired, the browser will prevent the connection from happening altogether. The user won’t be allowed to to proceed with an insecure connection. It gives another layer of protection by blocking override of security warnings.
• Preloaded Sites: Browsers automatically enforce HTTPS from the first request for sites in the HSTS preload list — which is a list of sites for which a client should automatically use HTTPS from the first request made, even if the user has never visited the site. This cuts the chances of initial connection being made over insecure HTTP.

Example

Consider the following example of an HSTS header:

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

When this header is present in the server's answer the browsers will impose HTTPS and use the same rules on any subdomains. Another example could be a simpler HSTS header without the optional directives (Arduino):

Strict-Transport-Security: max-age=31536000

For a period of one year only the policy covers the main domain and does not include subdomains or preload lists. For sites that don't need many subdomains and prefer to avoid preload lists this method appears to be effective.

Implementation with Nginx and Apache

The ability to set HSTS headers is supported by servers like Nginx and Apache.

Nginx Implementation

To configure HSTS in Nginx you have to adjust the server block configuration file. Below is the pseudocode for Nginx configuration:

server {
    listen 443 ssl;
    server_name example.com;
    # SSL configuration
    ssl_certificate /etc/nginx/ssl/example.com.crt;
    ssl_certificate_key /etc/nginx/ssl/example.com.key;
    # HSTS Header (max-age is set to 1 year, includes subdomains, and preload)
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
    location / {
        # Your site’s root configuration
        try_files $uri $uri/ =404;
    }
}

Once configured, reload Nginx to apply the changes (bash):

sudo systemctl reload nginx

Apache Implementation

Implementing HSTS on Apache involves choosing to change the .htaccess file in the root directory of your site or the configuration file (/etc/apache2/sites-available/000-default.conf).

Here is how you can add the HSTS header in the Apache configuration (apache):

<VirtualHost *:443>
    ServerName example.com
    # SSL configuration
    SSLEngine on
    SSLCertificateFile /etc/apache2/ssl/example.com.crt
    SSLCertificateKeyFile /etc/apache2/ssl/example.com.key
    # HSTS Header (max-age is set to 1 year, includes subdomains, and preload)
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
    DocumentRoot /var/www/html
    <Directory /var/www/html>
        Options Indexes FollowSymLinks
        AllowOverride All
        Require all granted
    </Directory>
</VirtualHost>

After making these changes, restart Apache to apply the HSTS header (bash):

sudo systemctl restart apache2

Testing Your HSTS Implementation

You may determine if your HSTS policy is in place properly with tools available in Developer Tools or through online services (SSL Labs).

How It Works?

Determining the functioning of HSTS aids web developers and representatives in applying it well and preventing likely problems. The following steps outline how the process functions from a browser's perspective:

• Initial Request: For the initial visit to a website each user can choose between HTTP and HTTPS connections according to the site's configuration. When HTTPS is established for the connection the server can issue the Strict-Transport-Security header.
  • When a user connects via HTTP instead of HTTPS initially the HSTS header won't be retrieved and the site can still be at risk of attacks throughout that connection. Numerous sites implement HTTP-to-HTTPS redirects to make sure users link up securely at the outset.
• HSTS Policy Activation: As soon as the browser picks up the HSTS header, it memorizes the policy and executes it on every future request within the specified max-age. Attempting to reach the site over HTTP will immediately redirect to HTTPS by the browser. The user can relax because the browser oversees this enforcement without further intervention.
• Subsequent Requests: During the duration of the HSTS policy all future access to the site requires HTTPS. Even if the user manually types "http://example.com/" in the address bar of their browser it will transform it into "https://example.com/" before sending the request. The server stays safe for all interactions.
• Preventing Insecure Communication: Failures in HTTPS connections are safeguarded by this protocol that protects users. When the website lacks a valid or active SSL/TLS certificate the browser will deny the connection entirely making securing their security a priority. This improves the security by keeping users from avoiding SSL warnings and reaching the site over HTTP.
• Preloading: Sites that follow the preload directive can join browser preload lists upon fulfilling the needs. Through preloading browsers can force HTTPS before users access the site for the first time. This blocks potential risks to security at the start of an internet visit for crucial online resources.

To set a site for preloading website managers must confirm that the HSTS header has max-age=31536000 (or larger) along with the preload directive and includeSubDomains. Sites can get signed up for the browser preload list once they align with these guidelines.

Conclusion

Adopting HTTP Strict Transport Security (HSTS) ranks among the most important actions in current web security frameworks. Using HSTS restricts the insecure HTTP protocol and keeps websites and users safe from several security dangers. By enabling browser preloading website administrators protect secure communication ahead of user visits.

It is simple for website admins to activate HSTS which proves highly beneficial for both security levels and performance. To offer a safe and credible online experience for all people in the era of evolving cybersecurity threats the implementation of policies like HSTS will be vital.