HSTS for security

Submitted by peter on Sat, 01/13/2018 - 04:27

HSTS, the HTTP Strict Transport Security protocol, is a standard for forcing the use of HTTPS instead of HTTP in some situations. HSTS does not solve the problem of switching a Web site from HTTP to HTTPS.

HSTS adds a HTTPS response header named "Strict-Transport-Security". The HSTS header does not redirect traffic from HTTP to HTTPS, you have to do that yourself. The option to redirect from HTTP to HTTPS is common in many Web hosting configuration pages and in CMS, Content Management System, configuration files. If none of those options exist, you can add automatic redirects to the Apache and Nginx configuration files.

Web browsers are supposed to ignore the Strict-Transport-Security header when they receive a HTTP response, leaving the Web browser with no reason to switch to HTTPS. You are back to redirecting visitors to HTTPS. When the user visits a HTTPS page, the HSTS header tells the Web browser to not switch back to HTTP.

The justification for the extra header is to warn web browsers that all content should be HTTPS and any requests for HTTP should be converted to HTTPS before the request is sent to the server. This stops some types of "man in the middle" attacks where a HTTPS request is hijacked and converted to HTTP.

The protocol does not work when the initial request is through HTTP. The protocol does not work with old Web browsers. There are other problems. The first thing you should do before touching HSTS is put in a redirect from HTTP to HTTPS for every domain and subdomain. HSTS can then add a little bit of extra protection to HTTPS domains.

Request headers

Here is an example set of request headers from a Web browser to a Web server named example.com.

Host example.com
User-Agent Mozilla/5.0 (X11; Linux x86_64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept text/html,application/xhtml+xm…plication/xml;q=0.9,*/*;q=0.8
Accept-Language en-AU,en-GB;q=0.8,en;q=0.5,en-US;q=0.3
Accept-Encoding gzip, deflate, br
Connection keep-alive
Upgrade-Insecure-Requests 1
Cache-Control max-age=0

Response headers

Here are the response headers for the request.

Server: nginx
Date: Sat, 13 Jan 2018 04:38:48 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 6539
Connection: keep-alive
Cache-Control: must-revalidate, no-cache, private
Content-language: en
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
expires: -1
pragma: no-cache
Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip</pre>

There is no Strict-Transport-Security: max-age=63072000 header. Visit your Web hosting control panel. Select Hosting then Websites & Domains then Apache & Nginx settings.

Select Additional headers then enter the following line and save the change.

Strict-Transport-Security: max-age=63072000


Fix the HTTP to HTTPS redirect first then add HSTS.