Security Headers – Strict-Transport-Security (HSTS)

Contents

Strict-Transport-Security (HSTS) is a web security policy mechanism that helps protect websites against man-in-the-middle attacks, particularly those that involve protocol downgrade attacks and cookie hijacking over insecure connections.

HSTS instructs web browsers to always use a secure, encrypted connection (HTTPS) when communicating with a specific website, thereby enhancing the overall security of web communication.

How HSTS Works

Initial Request to the Website	When a user’s browser first connects to a website that has HSTS enabled, the website sends an HTTP response header named `Strict-Transport-Security` in the server’s response.
HSTS Header Format	The HSTS header specifies the maximum amount of time (in seconds) that the browser should enforce the use of HTTPS for the specified domain and its subdomains.
Browser Storage	Upon receiving the HSTS header, the browser stores this information locally. The HSTS policy is then applied for the specified duration (defined by `max-age`).
Subsequent Requests	For the duration specified by `max-age`, whenever the user’s browser attempts to connect to the same website, it will automatically use HTTPS, regardless of whether the user initially entered “http://” or “https://” in the address bar.
Protection Against Downgrade Attacks	HSTS protects against protocol downgrade attacks, where an attacker attempts to force communication over unencrypted HTTP instead of the secure HTTPS. Even if an attacker successfully intercepts the initial unencrypted connection, the browser will refuse to connect over HTTP for the duration of the HSTS policy.
Protection for Subdomains	If the HSTS header includes the `includeSubDomains` directive, the policy is extended to all subdomains of the specified domain. This ensures a consistent and secure browsing experience across the entire domain.
Preloading	Websites that include the `preload` directive in their HSTS headers can be added to browser preload lists. This means that the browser will enforce HSTS even during the very first visit to the site, enhancing security from the outset.
Renewal of HSTS Policy	To extend the HSTS policy, the website should continue to send HSTS headers in its responses, ideally well before the expiration of the current policy. This ensures a seamless transition to the renewed policy without any lapse in security

Anatomy of the HSTS Header

The Strict-Transport-Security (HSTS) header has a specific syntax, here are the basic elements:

Strict-Transport-Security: max-age=<seconds>; [includeSubDomains]; [preload]

HSTS Directives:

Here is what each part means:

Directive	Description	Example
`max-age=<seconds>`	This directive specifies the maximum amount of time (in seconds) that the browser should enforce the use of HTTPS. It is a required parameter.	Example: `max-age=31536000` (1 year)
`includeSubDomains`	This directive, when present, indicates that the HSTS policy should also apply to all subdomains of the specified domain. It is an optional parameter.	includeSubDomains
`preload`	This directive, when present, indicates that the website is eligible for inclusion in browser preload lists, ensuring HSTS enforcement even during the first visit. It is an optional parameter.	preload

Example HSTS Configurations

Basic HSTS Header

This example instructs the browser to enforce the use of HTTPS for 1 year (31,536,000 seconds) for the specified domain.

Strict-Transport-Security: max-age=31536000

HSTS Header with Subdomain Inclusion

This example, in addition to enforcing HSTS for the specified domain, extends the policy to all of its subdomains.

Strict-Transport-Security: max-age=31536000; includeSubDomains

HSTS Header with Preload

This example, in addition to enforcing HSTS for the specified domain and subdomains, indicates that the website is eligible for inclusion in browser preload lists.

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

HSTS Configured in Apache

This Apache configuration sets the HSTS header for a duration of 1 year, includes subdomains, and is eligible for preload.

<IfModule mod_headers.c>
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
</IfModule>

HSTS Configured in NGINX

This NGINX configuration sets the HSTS header for a duration of 1 year, includes subdomains, and is eligible for preload.

server {
    listen 80;
    server_name example.com;

    # Redirect HTTP to HTTPS
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    server_name example.com;

    # SSL certificate and related settings go here

    # HSTS header configuration
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

    # Other SSL and application-related configurations go here
    # ...
}

Updated on December 13, 2023

Was this article helpful?

Yes No

Need Support?

Can’t find the answer you’re looking for? Don’t worry we’re here to help!

Email: support@noc.org