HSTS or HTTP Strict Transport Security is a security enhancement specified by a web application / server through the use of a special response header called "Strict Transport Security".
When a supported browser receives this header, it prevents HTTP connections to the specified domain and sends all communications via HTTPS instead. Having SSL encryption using a certificate for HTTPS is a prerequisite for HSTS, otherwise activating HSTS will just make your site inaccessible.
HSTS thus improves the security of visitors to a website by preventing web browsers from accessing the site via unreliable HTTP connections. If visitors are unable to connect via HTTPS, the website will no longer be available.
In addition, HSTS specifies a period of time during which the browser (or any other user agent) must access the server only securely via HTTPS.
The HSTS device helps to protect website users against a number of passive and active network attacks. For example, a man-in-the-middle attack cannot intercept a request as long as HSTS is active on a website.
HSTS also protects against attacks that capture your HTTP network traffic to any website that relies solely on 301 redirects to switch from HTTP to HTTPS.
HSTS forces browsers and applications to use an HTTPS connection whenever possible. This applies even when users type only "www" or "http://".
NB: Setting up 301 redirects is not enough to fully secure your domain name by switching traffic from http:// to https://. The lack of security in HTTP redirection leaves the door open to a possible attack.
Enabling HSTS
HSTS can be turned on with a simple header, which is added to all responses your server sends:
Strict-Transport-Security: max-age=300; includeSubDomains; preload
You can include this in your webserver's configuration file. For example, in Nginx, you can set the header by including an add_header line in your server block:
add_header Strict-Transport-Security "max-age=300; includeSubDomains; preload; always;"
And for Apache, the command is similar, using the Header always set line:
Header always set Strict-Transport-Security "max-age=300; includeSubDomains; preload"
The following initial steps will enable you to test your web applications, user connection and session management.
- Ideally, the HSTS will expire every 5 minutes
- Keep testing it in intervals, first for a week and then a month, until you're certain there are no issues
- Solve any problems that may arise during your deployment
- Change the "max-age=xxx" parameter: one week = 604800; one month = 2592000
- Add the preload once the tests are complete
If you find that HSTS works well with your web applications, change "max-age" to 63072000. This corresponds to a duration of 2 years - which is what the "Chromium" project requires in your request to be included on the predefined list of sites that must be connected using HSTS!
Ongoing HSTS requirements
- Your website must have a valid, installed and active SSL certificate. Check that your certificates are correctly installed and working properly.
- Redirect ALL HTTP links to HTTPS with a permanent 301 redirect.
- Your SSL certificate must cover ALL sub-domains. To do this, you need to order a Wildcard certificate. Otherwise, you will be safe with a Domain Validation (DV), Organisation Validation (OV) or Extended Validation (EV) SSL certificate.
- Send an HSTS header on the base domain for HTTPS requests.
- The "Max-age" parameter must be set to at least 10886400 seconds or 18 weeks. Choose the value "two years" (63072000), as indicated above.
- The "includeSubDomains" directive must be specified if necessary!
- The "preload" directive must be specified.
More information on HSTS :
• Improve the security of your websites and encrypted server connections
• https://www.globalsign.com/en/blog
• https://www.globalsign.com/en/search?search_paths%5B%5D=%2Fen&query=HSTS