Security Header — HTTP Strict Transport Security (HSTS)

What is HSTS?

HTTP Strict Transport Security (HSTS) is a web security feature that helps protect websites and users from certain types of attacks, particularly man-in-the-middle (MITM) attacks, by ensuring that the website is only accessed over a secure HTTPS connection.

In simple terms: HSTS tells the web browser, “Only connect to this website using HTTPS, not HTTP.”

Why is HSTS needed?

Normally, when you visit a website, your browser can connect to the site via either HTTP (non-secure) or HTTPS (secure). However, attackers can exploit this by:

1. Downgrading your connection: For example, by redirecting you from HTTPS to HTTP. If you’re using HTTP, your data is not encrypted, and attackers can intercept or modify it (MITM attack).
2. Intercepting unencrypted data: If a website isn’t using HTTPS, the data you send (like passwords) can be read by attackers.

How does HSTS work?

HSTS works by forcing the browser to only connect to the website using HTTPS for a specified period. This is done through a special HTTP header sent by the server.

When a website implements HSTS, it sends a response header like this:

Strict-Transport-Security: max-age=31536000; includeSubDomains

• max-age=31536000: This tells the browser to remember (or "stick to") the rule for 1 year (31,536,000 seconds).
• includeSubDomains: This means the rule applies to all subdomains of the site (e.g., login.example.com, mail.example.com).

Steps of HSTS in action:

First Visit

• When you visit the site for the first time, it’s possible that the website is served over HTTP.
• However, the website sends an HSTS header saying, “From now on, always use HTTPS.”

Subsequent Visits

• On your next visit, your browser remembers the rule and forces HTTPS, even if you type “http://” in the URL.
• Even if the attacker tries to intercept and downgrade your connection to HTTP, your browser will reject it and force HTTPS.

Key Benefits of HSTS:

• Prevents Downgrade Attacks: HSTS blocks attackers from forcing a site to load over HTTP.
• Protects Users: Users will always access the site securely without the risk of sending sensitive data over unencrypted channels.
• Mitigates SSL Stripping: SSL Stripping is an attack where an attacker intercepts an HTTPS connection and downgrades it to HTTP. HSTS prevents this from happening.

Real-World Example: Google

Google is one of the most famous companies that heavily uses HSTS. Here’s how it works for them:

• Initial Visit: When you first visit http://www.google.com, Google will send the HSTS header over an HTTPS connection. The header might look like this:

Strict-Transport-Security: max-age=31536000; includeSubDomains

• For Future Visits: Your browser remembers this instruction and will always use HTTPS to visit any Google-related website, like www.google.com or even subdomains like mail.google.com for the next year (since max-age is set to one year).

Example of SSL Stripping Attack (HSTS Mitigation):

Without HSTS:

• You type http://example.com.
• The attacker intercepts the request and downgrades it to http://example.com, which is unencrypted.
• The attacker can now see or manipulate any sensitive data like passwords or credit card information.

With HSTS:

• You type http://example.com.
• The first time you visit, your browser sees the HSTS header telling it to only use HTTPS.
• Even if the attacker tries to downgrade your connection, your browser will enforce HTTPS, making the connection secure.

HSTS Preload List:

Some browsers like Chrome, Firefox, and Safari maintain a special HSTS preload list. This is a list of websites that are guaranteed to always be served over HTTPS, even before you visit them for the first time.

For example:

• If you type http://twitter.com, your browser may not even attempt an HTTP connection. It will directly go to https://twitter.com because Twitter is in the HSTS preload list.

Website owners can submit their domain to the HSTS preload list, ensuring that browsers will always use HTTPS from the very first connection, even before the HSTS header is sent.

Key Considerations:

• Once you set HSTS, it can’t be easily undone. Once the browser remembers the rule, it will keep enforcing HTTPS for the period specified in max-age. Therefore, you should be sure that your website supports HTTPS properly before implementing HSTS.
• Use HSTS with caution: Ensure your website is fully HTTPS-compliant and doesn’t have any mixed content (insecure resources on an HTTPS page), as this can cause errors.

A Real-World Example: Facebook

Facebook enforces HSTS on all of its subdomains. If you visit http://www.facebook.com, it will redirect you to https://www.facebook.com automatically, and the browser will remember this preference for the future. Even if you try to manually enter an HTTP URL (like http://m.facebook.com), Facebook will force HTTPS on you.

Conclusion:

• HSTS is a security feature that forces web browsers to only connect to a website using HTTPS, which is essential for preventing attacks like MITM, downgrade attacks, and SSL stripping.
• Websites that use HSTS improve security for their users by ensuring that their sensitive data is always transmitted over secure, encrypted connections.
• Real-world examples like Google and Facebook demonstrate how widespread and important HSTS is in modern web security.