×

Get your FREE copy of "The Ultimate Guide of SSL"

Download Ebook

What Is HSTS & How It Provides Secure HTTPS Connections?

Enable HSTS to Secure HTTPS Connections

Mainly due to Google, there was a time that HSTS was in the news for a while. Because, as per Google, 45 TLDs have to be added to the pre-load list of HSTS.

HSTS is an abbreviation of “Hyper Strict Transport Security.” Originally it was known as “STS” to refer “Strict Transport Security.” But, due to HTTP, the H was added. It’s one of the mandatory things to consider because it helps in eliminating many online attacks, for instance, protocol downgrading, cookie hijacking.

Overview of HSTS

Initially drafted by a group of PayPal employees in 2009 and first published in 2012, it has been around for quite a time. However, it only comes to the spotlight a few years ago due to Google’s decision to emphasize it due to user’s security concerns. At the core, HSTS is one type of policy mechanism that’s used for adding into a server which communicates with a user-agent. It’s said that HSTS instructs the user-agent that you’re allowed to interact only if there’s secure (HTTPS) connection with a website.

According to RFC 6797, HSTS (HTTP Strict Transport Security) is defined as a web security standard. Its main goal is to create the standard that can help to prevent attacks such as MITM (man-in-the-middle) attacks that often happens due to SSL stripping. Here, SSL stripping means, a technique where an attacker is forcing the browser to connect with a website through an HTTP connection, so they can sniff malicious packets and intercept or modify sensitive data or information.

Here’s the Working of HSTS

Usually, whenever someone enters the URL of a website into the browser, they don’t often use the protocol part. For instance, the user will mostly type www.aboutssl.org instead of https://www.aboutssl.org. In such a scenario, the browser thinks that you want to make use of HTTP protocol, so it moves forward with that request to www.aboutssl.org.

On the contrary, if you’ve implied HSTS protocol, the web server will redirect using a 301-response code, which will point it towards HTTPS site and not the HTTP site. The browser will automatically connect with an HTTPS connection from www.aboutssl.org – if HSTS security policy protection is applied correctly using an HTTP response header.

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Here, the Strict-Transport-Security header provides instruction to the browser that from now every connection with the site and its sub-domains must be in an HTTPS connection for the next year (31536000 seconds) – from the moment this header is received. And the HTTP connection will not be allowed. In case the browser receives any request to load a resource through HTTP, it must first try to convert it into an HTTPS request, and if it can’t, then terminate that connection altogether.

hsts guide
And the same applies, that HTTPS request will be terminated if the installed SSL/TLS certificate is not valid – self-signed expired or issued by an unknown certificate authority.

Note:

The Strict-Transport-Security header is sent for a given website that covers a specific domain name. Therefore, if you’ve got HSTS for the domain www.aboutssl.org, it’ll not cover for aboutssl.org, and only www subdomain will be covered. Thus, for getting complete protection, the website must call to the base domain – aboutssl.org and receive a header named Strict-Transport-Security for the domain name along with the directive includeSubDomains.

Benefits of HSTS Protocol

HSTS protocol offers specific benefits to a website when it comes to security as well as SEO. However, when it comes to SEO, benefits are not seen directly, but they do provide an indirect boost in an organic ranking.

Page Load

If an HSTS is implemented after the first non-secure request browser will only look for requesting the secure version of the website. And, the time it takes for a web browser to ask for a non-secure resource from the server is only a matter of second, but when you’ve implemented HSTS protocol, that time is also considered obsolete. Even though it’s a second, but when it comes to organic ranking, it can create an impact.

Security

Nowadays, the SSL/TLS certificate isn’t considered an option. It’s mandatory. Google puts a lot of emphasis on website security, and HTTPS is one among them. Since safety is essential for Google, by having HSTS implemented will prove beneficial. As discussed earlier, it’ll help to remove even the split second where a hacker can hijack a request called SSL Stripping.

For example, the first HTTP request or transfer of data to a website can be intercepted by the cybercriminal who can pretend to be a website by being a middleman between the server and a user. So, if someone sends sensitive information like credit card details, it might first go to the hacker, who then later sends it to the server.

Disadvantage of HSTS

No doubt, there are benefits when it comes to the implementation of HSTS, but a certain disadvantage is there, which should be addressed. Though, that’s a different thing that it shouldn’t affect you much as it’s not that serious that the security of your website will be affected. For instance,

preload – It’s one of the great features of HSTS. But the drawback is that once it’s implemented, it can’t be undone. For instance, after implementing it, for any reason you want to revert it to HTTP, then it won’t be possible, even if you follow all the right steps of phasing out the HSTS protocol. Because browsers won’t delete the old entry from their lists till the new update is provided, and the user downloads it.

includeSubDomains – As the name implies, even if you’ve got unsecured subdomains, it’ll cause an issue. It means, if you’ve subdomains, you’ll have to make those subdomains secure with HTTPS too to keep up with certificates up to date.

max-age – Similar to other attributes as discussed, it’s also one of the mandatory attributes that must be implemented. And, likewise, this one also has a certain downside. For instance, if you ever have to make an unsecured call to the server for any reason, it won’t be possible for the visitors who had cached the policy already.

Here’s How to Implement HSTS on Your Website

For implementing HSTS on the popular web servers:

HSTS Header on Microsoft IIS Servers

protected void Application_BeginRequest(Object sender, EventArgs e) { switch (Request.Url.Scheme) { case "https": Response.AddHeader("Strict-Transport-Security", "max-age=31536000; includeSubDomains; preload"); break; case "http": var path = "https://" + Request.Url.Host + Request.Url.PathAndQuery; Response.Status = "301 Moved Permanently"; Response.AddHeader("Location", path); break; } }

Implementing HSTS on Nginx Server

Add below code into site.conf file:

add_header Strict-Transport-Security 'max-age=300; includeSubDomains; preload; always;'

HSTS Header for Implementing in Apache Server

Add below code to .htaccess file:

# Use HTTP Strict Transport Security to force client to use secure connections only
Header always set Strict-Transport-Security "max-age=300; includeSubDomains; preload"

Code to Implement HSTS in lighttpd

Add below code into config file ( /etc/lighttpd/lighttpd.conf):

server.modules += ( "mod_setenv" ) $HTTP["scheme"] == "https" { setenv.add-response-header = ("Strict-Transport-Security" => "max-age=300; includeSubDomains; preload") }

Steps to Verify HSTS Implementation

Many different ways allow you to verify whether HSTS you implemented has been successful or not. You can even prove it using Google Chrome browser itself by merely following the below steps:

Open the website for which you want to check whether the HSTS has been implemented. For example, open the website you want to verify for HSTS and then click on three dots at the top right side of the browser and select Developer tools from More tools (CTR + Shift + I)

developer tools
Once the developer’s tool screen load, make sure to select the tab “Network.”
network
Now, refresh the website or else press button CTRL+R. All the website assets will be loaded in that right window panel of the Network tab. And from that, click on the first asset. It contains all the header responses which you have to look at.
network headers
Search for the strict-transport-security. If you find that, it means the website follows the HSTS policy.
strict transport security
Also, sometimes it happens that the website has perfectly implemented the HSTS policy, but the browser fails to recognize that and throws errors like “Privacy error: Your connection is not private” (NET::ERR_CERT_AUTHORITY_INVALID), which can happen due to one or more reasons. If that’s the case, it’s suggested to clear HSTS settings in your browser, and you’ll be all set to go.

Summary

It’s been a while for HSTS to be implemented by the websites. But, due to Google’s emphasis on website security, its adaptation has increased. Without a doubt, HSTS does offer some benefits, but at the same time, it does have a certain downside though nothing to do with security. So, whether to implement or not, it’s all up to you. However, it’s suggested to make use of it, as it improves the website security and prevents unwanted attacks like SSL stripping or MITM.
Disclosure: AboutSSL appreciates your continuous support. It helps us tremendously to keep moving in the competitive SSL industry. Here most of the links which direct you to buy any SSL/TLS related service or products earns us a certain percentage of referral commission. Learn More
Download Site Seal
comodo-trust-seal
SSL Checker