What is HTTP Strict Transport Security (HSTS)?


HSTS became popular after Google announced its decision to add services with this mechanism to the list of the best domains on the Internet that are at the same time highest positioned. It is worth looking at them, so we have prepared some important information for you.

What is HSTS?

HSTS is an IETF standard path protocol. The work of the various IETF working groups (an informal international association for setting technical standards for the Internet) produces documents called RFCs (Requests for Comments), which are numbered accordingly. They define many (if not all) of the current standards, transmission protocols and data formats. The HSTS was approved by RFC 6797 on October 2, 2012 exactly.

There is one safety risk associated with the HSTS system

Since the STS parameter is passed as a header, during the first call there is a small attack field - before the browser displays the header. This is rather low risk, but a good hacker can break SSL encryption and steal data with the right tools. However, in order to reduce this risk, a solution was created in the form of HSTS preload list.

What is the HSTS preload list?

The HSTS preload list is a list of sites using HSTS. Effectively closes the danger area when you first connect to the downgrade protocol (i.e. a backward update) or when you try to take control of cookies. When your web browser arrives at a page that uses the HSTS preload list for the first time, it immediately knows it's supposed to protect your connections.

The only problem that arises in this context is the relatively long waiting time for the website to be added to the HSTS preload list. Depending on the browser, it sometimes takes a week, and sometimes a month. That's why Google's decision to register all on the TLD (Top-Level Domain) list is so powerful. Now each one that is secured with an SSL certificate is by default on the list.

Should I implement HSTS on my website?

The answer is yes. We strongly recommend installing HSTS. With SSL certificate there are still ways to use the site. For experienced hackers it is not difficult to break such a dam. If you don't have HSTS, it's a bit like hanging a padlock on the doors of a single-storey house and leaving windows open by the way. The way to enter exists, simply requires more attention and cunning from someone.

We therefore recommend the implementation of HSTS. Not only HSTS, but also header with hints "includeSubDomains" and "preload".

Secure connections

Here is an example of a good HSTS header:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

What to consider before implementing HSTS

It is worth noting a few things before adding the HSTS header:

  • You must have an SSL certificate installed on your website.
  • If you have subdomains, you must use a wildcard symbol to protect them.
  • You must use 301 redirection to change all HTTP pages to HTTPS
  • Google says it's best to set two headers for a maximum of two years
  • SubDomain and preload headers must be included

Important note: adding "preload" will not get you to the HSTS preload list right away. You will still have to follow her here: https://hstspreload.org/

HSTS header for IIS servers

protected void Application_BeginRequest(Object sender, EventArgs e) { switch (Request.Url.Scheme) {case "https": Response.AddHeader("Strict-Transport-Security", "max-age=31536000; includeSubDomains; preload"); break; case "http": var path = "https://" + Request.Holiday Host + Request.Holiday.PathAndQuery; Response.Status = "301 Moved Permanently"; Response.AddHeader("Location", path); break; } }

HSTS header for Nginx

add_header Strict-Transport-Security 'max-age=300; includeSubDomains; preload; always;'.

HSTS header for lighttpd

server.modules += ("mod_setenv" ) $HTTP["scheme"] == "https". { setenv.add-response-header = ("Strict-Transport-Security" => "max-age=300; includeSubDomains; preload") }

HSTS header for Apache web server

# Use HTTP Strict Transport Security to force client to use secure connections only Header always set Strict-Transport-Security "max-age=300; includeSubDomains; preload".

How to register for the HSTS pre-download list

In order to submit your website to the initial HSTS list, you must first meet the official requirements:

  • Give only correct certificates
  • Re-address HTTP connections to HTTPS using the same host if you are on port 80.
  • Supports all subdomains via HTTPS

In particular you must maintain HTTPS for subdomains if a DNS (domain name system) for these subdomains exists

  • enter the HSTS header in the domain database on request HTTPS
  • the maximum age must be at least 18 weeks
  • includeSubDomain guideline must be specified
  • the preload guideline must be specified
  • if you specify additional redirection from your HTTPS website, the redirection must have a HSTS header.

0 Komentarze


Worth attention

Own online business in 10 steps

Internet businesses are developing very well. People all over the world like to buy online because they have a lot of choice and save time. That's why using the opportunity that online business...