What is HSTS?
HSTS is a acronym of HTTP Strict Transport Security, defined in the RFC-6797 specification. This security mechanism was designed to ensure your website is accessed via a secure HTTPS (SSL/TLS) connection. Enabling the HSTS header for a domain name on the server-side instructs all browsers to make secure, encrypted connections even if the user initially tries to access a site via HTTP connection.
HSTS is supported by all major browsers such as Google Chrome, Mozilla Firefox, Microsoft Edge, Safari, Opera and many more. However, there are still a few mobile browsers that do not support HSTS. If a user navigates to the unencrypted version of an HTTPS site using such a browser, the browser will allow the unsafe connection.
What Does HSTS Protect Against?
Ensuring your web server creates a secure connection between the client and the server helps protect application users from various attack types such as cookie hijacking which is a form of a Man-in-the-Middle (MitM) attack. The implementation of HSTS is also an additional layer of protection against SSL Stripping attacks which attempts to force the browser to drop the existing secure (HTTPS) connection and default to the insecure (HTTP) alternative.
How Does HSTS Work?
HTTP Strict Transport Security is enforced by the web browser rather than the web-server. The implementation of the header on the server-side simply instructs the browser to ensure that the connection is established with a secure (HTTPS) connection.
What does the HSTS header look like?
- The
Strict-Transport-Securityheader keyword, followed by a colon. max-ageis a mandatory directive which specifies the time, in seconds, that the browser should remember to enforce HSTS. In the example above, it’s set to 31,536,000 seconds, which is one year.includeSubDomainsis an optional directive that indicates that the HSTS policy should also be applied to all subdomains of the specified domain. If this is not specified and you only send an HSTS header for your primary domain such as example.com, HSTS won’t apply to www.example.com or any other subdomains.preloadis an optional directive that indicates that the domain should be included in the HSTS preload list. Being on the preload list means that browsers will automatically enforce HSTS for the domain, even for the first visit. Note: this parameter is not part of the official specification.
How to Protect Yourself Using HSTS?
To enable HSTS, you will need to be the web server administrator, following the steps detailed below you can safely implement the HSTS header with all HTTPS responses automatically for the most well-known web servers.
Important: Before enabling HSTS, make sure all web pages are accessible via HTTPS. Otherwise, HSTS will make your domain inaccessible to browsers.
Configuring HSTS
Apache
- Open the Apache configuration file or
.htaccess. The location of the Apache configuration file can vary depending on your system, but common locations include/etc/httpd/httpd.confor/etc/apache2/apache2.conf. Additionally, Apache allows per-directory configuration through .htaccess files. - Add the HSTS header:
Header always set Strict-Transport-Security “max-age=31536000; includeSubDomains; preload” - Restart Apache:
sudo systemctl restart apache2
IIS
- Open IIS Manager.
- Select your website and open HTTP Response Headers.
- Click Add.
- Set the HSTS header:
- Name: Strict-Transport-Security
- Value: max-age=31536000; includeSubDomains; preload
- Click OK to save the settings.
- Restart IIS: For the changes to take effect, you may need to restart IIS. You can do this by clicking on the server name in the Connections pane, then clicking on “Restart” in the Actions pane on the right.
Nginx
- Open the Nginx configuration file.The location of this file may vary depending on your system, but common locations include
/etc/nginx/nginx.confor a directory like/etc/nginx/conf.d/. - Add the HSTS header inside the
serverblock:
add_header Strict-Transport-Security “max-age=31536000; includeSubDomains; preload” always; - Reload Nginx:
sudo systemctl reload nginx
How to Turn Off HSTS?
To turn off HSTS, modify the existing HSTS header and set the max-age directive to 0. Next time a browser sends an HTTPS request to your server, it will be informed that HSTS for the current domain has expired and will no longer enforce it.
Note: Setting the max-age directive to a shorter period such as 60 – 120 seconds for testing purposes is advised, before setting its final value. This is far easier and safer than trying to manually remove HSTS information from browser caches
What is the HSTS Preload List?
The HSTS preload list is automatically built-in (preloaded) list of domains that upon first visit, are served over a secure (HTTPS) connection. This means that for users of browsers detailed in the compatibility matrix, domains they visit which are in the preload list are accessed over a secure connection (HTTPS) from the very first request.
You can request to include your website in the preload list on the official managed website here.
What is the HSTS Preload List?
To include your domain in the HSTS preload list, you need to meet a few requirements:
- All your domains and subdomains (as specified in your DNS records) must have valid SSL/TLS certificates and use up-to-date SSL/TLS ciphers.
- All unsecure HTTP requests must be automatically redirected via a secure channel (HTTPS).
- The HSTS header should be configured for the base domain with a
max-ageof at least 1 year (31536000), theincludeSubDomainsdirective, and thepreloaddirective. For example:Strict-Transport-Security: max-age=31536000; includeSubDomains; preload - The form on hstspreload.org website a needs to be submitted for your domain for inclusion on the preload list. If the conditions are met your domain will be included in the future preload lists which may take a few months.