An in-depth HTTP Strict Transport Security Tutorial
HSTS is an Internet standard and policy that tells the browser to only interact with a website using a secure HTTPS connection. Check out this article to learn how to leverage the security of your website and customers’ data and the security benefits you’ll gain from doing so.
HTTP Strict Transport Security (HSTS) is an Internet standard and policy that tells the browser to only interact with websites using a secure HTTPS connection.
When a web browser receives an HSTS policy from a website, it automatically uses HTTPS for all future communications with that website, even if the user attempts to use HTTP. This ensures all communications between a browser and website are secure and can't be intercepted or tampered with by an attacker.
This article explores different vulnerabilities you can remediate by implementing HSTS, highlights attack vectors that you can prevent or minimise with help from HSTS, and reviews some added benefits that HSTS offers.
How to use HSTS effectively
Ensuring private and secure access to Internet-based sensitive data, confidential information, and personal transactions is paramount. One of the best steps you can take to keep your websites secure is to enable HSTS to ensure that all connections utilise Hypertext Transfer Protocol Secure (HTTPS). HTTPS is more secure than its counterpart, Hypertext Transfer Protocol (HTTP). That’s because HTTPS is a security protocol layer on top of HTTP that uses SSL to encrypt users’ requests and responses over the Internet.
This section explores how to implement HSTS and how to use it effectively, and the protection that HSTS provides against multiple attack forms. Let’s start by highlighting some additional security benefits of using HTTPS.
Benefits of using HTTPS
HTTPS provides many security benefits.
One of the most significant benefits of HTTPS is that it provides data encryption. Data encryption means that your website’s visitors can worry less about their data being corrupted or hijacked midway through transmission than they would when visiting a site that uses HTTP. And if malicious attackers obtain sensitive user data, the data will be of little use to them because it’s encrypted and, therefore, highly secured.
Advanced verification and data validation
Verification is another notable benefit of HTTPS. HTTPS use certificates to ensure that the protocol’s policy and that of the website are in harmony. It notifies the user of an insecure connection if the policy is breached. This prompt feedback to the user increases trust and guarantees their online safety.
When sending or establishing a connection over the Internet, verifying whom you’re communicating or connecting to is often challenging. HTTPS has advanced verifications processes that use Transport Layer Security (TLS) handshake to verify the sender and the receiver. Only when and if the connection is successful will it allow the two to communicate. This security feature helps to identify impersonators and ensures the security of the data being sent between the parties.
So how do you enable HSTS on your website?
The HSTS policy is declared by modifying your web server configuration. This will differ depending on your server type. You can also have different subdomains, but they have to be able to support the HSTS if they’re associated with the root domain.
You can use a certificate authority like Let’s Encrypt (a free service) to enable HSTS on your site.
An example of an HTTP web server header with HSTS enabled looks like this:
The max-age attribute is the number of seconds the HSTS is enabled, which is normally a year in seconds.
Mitigating attacks with HSTS
Websites are vulnerable to many different types of attacks. Using HSTS protects you against several of the most common, widely used attack forms, including those below.
Man-in-the-middle attacksA man-in-the-middle attack is where a malicious actor intercepts communication between two parties and impersonates both parties to steal sensitive information. This attack is possible when the attacker can access a network and monitor its traffic. The attacker can then insert themselves into the communication between the two parties and alter the information being exchanged to steal sensitive data or inject malware.
Man-in-the-middle attacks are perilous because they’re difficult to detect but are high risk, as attackers can steal sensitive information or spread malware without the user’s knowledge.
Implementing HSTS can help prevent this attack by allowing the webserver to tell a web browser that it should only communicate using HTTPS instead of HTTP. This means that if an attacker tries to intercept communication between a web server and a web browser, they won’t be able to read or alter the traffic because it will be encrypted using HTTPS.
HSTS makes it much more difficult to execute a successful man-in-the-middle attack, as attackers won’t be able to see or modify any exchanged sensitive information.
SSL strippingSSL stripping is an attack where the connection is downgraded from a secure and encrypted HTTPS protocol to a less secure HTTP protocol. The attacker can potentially read or alter the sensitive information transmitted between the website and the user’s web browser by downgrading the connection from HTTPS to HTTP.
This attack is particularly dangerous because attackers can use it to steal sensitive information, such as login credentials or credit card numbers without the victim’s knowledge.
HSTS can aid in SSL stripping attack containment by forcing the web browser to use HTTPS for all communication with a website. When a web server sends an HSTS policy to a web browser, the browser will automatically use HTTPS for all subsequent requests to that website. This means that even if an attacker tries to downgrade the connection from HTTPS to HTTP, the web browser will still use HTTPS, and the communication will remain encrypted.
Therefore, HSTS makes it much more difficult for attackers to perform an SSL stripping attack, as they can’t read or modify the sensitive information transmitted between the website and the web browser.
Protocol downgradeProtocol downgrade refers to using an older, less secure version of a protocol for communication. Over time, new protocol versions provide improved security and functionality. However, in some cases, older protocols may still be used for communication due to compatibility issues or because the devices or systems involved don't support the newer versions.
Using an older protocol version can leave communication vulnerable to attacks, as the older versions may still have the security vulnerabilities that were addressed in the newer versions. Protocol downgrade attacks involve an attacker forcing an older, less secure protocol version to exploit vulnerabilities and gain access to sensitive information.
To help prevent protocol downgrade attacks, HSTS forces the web browser to use a specific, secure version of the HTTP protocol for communication with a website. So, for example, when a web server sends an HSTS policy to a web browser, the policy will specify which version of HTTP you should use for communication with that website. The web browser will then automatically use the specified HTTP version for all subsequent requests to that website.
Cookie/session hijackingCookie hijacking is a cyberattack where an attacker gains access to a user's web browser cookies or session information to impersonate the user and gain unauthorised access to their accounts or sensitive information. By gaining access to a user's cookies or session information, an attacker can impersonate the user.
Attackers perform cookie hijacking through various methods, such as social engineering, malware, or network sniffing.
HSTS can help prevent cookie/session hijacking by ensuring that all communication between a web server and a web browser is encrypted using HTTPS. When a web server sends an HSTS policy to a web browser, the browser will automatically use HTTPS for all subsequent requests to that website. This means that even if an attacker gains access to a user's cookies or session information, they won't be able to read or alter the sensitive data transmitted between the web server and the web browser because it's encrypted using HTTPS.
HSTS is secure, but not untouchable
Although HSTS packs several security benefits against commonly known attacks, it's not immune to website vulnerabilities. Users can still be susceptible to attacks from their initial connection to the website because HSTS only takes effect after the web browser has received the HSTS policy from the web server.
During the initial connection to the website, the web browser hasn't yet received the HSTS policy and may still use an unsecured connection, such as HTTP, to communicate with the website. This connection might give an attacker room to intercept the initial contact between the web browser and the web server, potentially reading or altering the sensitive information being transmitted.
Implementing HSTS isn’t just a way of keeping your website secure. It’s also an effective way of showing your website’s users that you value and prioritise their security by taking care of how you handle their data. HSTS doesn’t just add an extra layer of protection, these efforts will positively impact your organisation’s reputation and build trust with visitors and customers.
You should always use HSTS on websites that transmit sensitive user data, such as login credentials or financial data. This will help prevent unwanted attacks and protect the confidentiality and integrity of transmitted sensitive information. By enforcing HTTPS use for all communication, HSTS can help prevent a wide range of cyberattacks.