HSTS - ayosecu/security-terms GitHub Wiki

HSTS (HTTP Strict Transport Security) is a web security policy mechanism that enforces the use of HTTPS (HTTP Secure) for communication between a browser and a web server. It helps prevent certain attacks, such as man-in-the-middle (MITM) attacks and protocol downgrade attacks, by ensuring that browsers only interact with the website over secure connections.

1. How HSTS Works

HSTS is implemented using the Strict-Transport-Security HTTP response header. Once this header is received, the browser will:

  1. Force HTTPS: Automatically upgrade all HTTP requests to HTTPS for the domain.
  2. Refuse Insecure Connections: Reject any attempts to connect over HTTP.

2. Key Components of HSTS Policy

a. The HTTP Response Header

  • Syntax:
Strict-Transport-Security: max-age=<seconds>; includeSubDomains; preload

b. Directives

  1. max-age:
  • Specifies the duration (in seconds) that the browser should enforce the HSTS policy.
  • Example:
Strict-Transport-Security: max-age=31536000
  • Enforces HTTPS for 1 year (31,536,000 seconds).
  1. includeSubDomains (optional):
  • Applies the HSTS policy to all subdomains of the main domain.
  • Example:
    • If set on example.com, it will also enforce HTTPS for sub.example.com.
  1. preload (optional):
  • Indicates the domain should be included in the HSTS Preload List, a list maintained by browsers to enforce HSTS before the first connection.
  • Requires both includeSubDomains and a max-age of at least 1 year.

3. Example HSTS Header

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

4. Benefits of HSTS

  1. Prevents Protocol Downgrade Attacks:
  • Attackers can force users to downgrade to HTTP, but HSTS ensures HTTPS is always used.
  1. Mitigates MITM Attacks:
  • Ensures data integrity and encryption, reducing the risk of attackers intercepting or modifying traffic.
  1. Enhances User Trust:
  • Demonstrates a commitment to secure communication, improving user confidence.

5. Challenges and Limitations

  1. Initial HTTP Request Is Vulnerable:
  • HSTS cannot protect the very first HTTP request if a user types http://example.com.
  • Solution: Redirect HTTP to HTTPS and add the domain to the HSTS Preload List.
  1. Strict Enforcement Can Cause Issues:
  • If misconfigured or applied to non-HTTPS domains, users may be unable to access the site.
  • Example:
    • Accidentally including includeSubDomains for a subdomain without HTTPS support.
  1. Browser-Specific:
  • Only works with browsers that support HSTS (modern browsers generally do).

6. HSTS Preload List

  • What It Is:
    • A list of domains that enforce HSTS before any connection is made.
    • Maintained by major browsers (e.g., Chrome, Firefox, Edge).
  • How to Apply:
    1. Ensure HSTS is enabled with max-age=31536000, includeSubDomains, and preload.
    2. Submit the domain at HSTS Preload.
    3. Once accepted, all major browsers enforce HSTS for the domain.

7. Real-World Usage

a. Websites That Use HSTS

  • Examples:
    • Google: Implements HSTS on all its domains, including www.google.com and subdomains.
    • Facebook: Enforces HTTPS through HSTS for its entire ecosystem.
    • Banks and Financial Services: Commonly use HSTS to ensure secure communication.

b. Popular Scenarios

  • Protecting login pages and sensitive user data.
  • Enforcing HTTPS across corporate and e-commerce platforms.

8. Testing HSTS

a. Browser Developer Tools

  • Inspect the HTTP response headers in browser developer tools:
  • Open DevTools > Network > Look for the Strict-Transport-Security header.

b. Online Tools

c. Commands

  • Use curl to view headers:
curl -I https://example.com

9. Best Practices

  1. Start with a Small max-age:
  • Use a small value initially to test the impact (e.g., max-age=86400 for 1 day).
  1. Gradually Increase Enforcement:
  • Once confident, increase the max-age and add includeSubDomains.
  1. Prepare for Preloading:
  • Ensure all subdomains support HTTPS before adding the preload directive.
  1. Redirect HTTP Traffic:
  • Always redirect HTTP to HTTPS before applying HSTS.
  1. Monitor Traffic:
  • Ensure no critical resources are served over HTTP.

10. Summary

Aspect Details
What is HSTS? A policy enforcing HTTPS connections to protect against MITM and downgrade attacks.
Key Header Strict-Transport-Security.
Main Directives max-age, includeSubDomains, preload.
Benefits Prevents insecure connections, enhances security, and improves trust.
Challenges Initial HTTP vulnerability, misconfiguration risks.
Popular Users Google, Facebook, financial institutions.

Conclusion

HSTS is a crucial tool for securing web communication, enforcing HTTPS across domains, and preventing vulnerabilities associated with unencrypted connections. Proper implementation, monitoring, and consideration of the HSTS Preload List can significantly enhance a website’s security posture.

⚠️ **GitHub.com Fallback** ⚠️