HTTP Strict Transport Security(HSTS) is server side response header from web server to browser to force browser to use HTTPS protocol for website and its contents. After getting this response from browser will reach the website on HTTPS connection only till the header defined timeout is achieved .

How this is achieved is when a browser sends its first request to web server for the website over HTTP protocol(we will talk about this later), server will respond back with HSTS header and timeout value. This will enforce browser to change to HTTPS protocol for communication with valid certificate and for the defined timeout window. The header also enforces to use any link wth this domain to be used with HTTPS only. Once browser is aware of this setting an future requests will be performed over HTTPS and if an invalid certificate is detected the connection with the website will be terminated.

Header specifications:

header name: Strict-Transport-Security

Options:

max-age: This is the timeout period for browser to reach the website over HTTPS. Once this period is over the browser will again start making request to website over HTTP and if configured will get the setting for HSTS.

Include subdomains: This parameter is to apply the HSTS setting for all subdomains mentioned in the header. Ideally HSTS should be configured at the root domain level so that all subdomains get this settings.

Pre-load: This is an optional field for browser to reach website using HTTPS. As mentioned previously first request by the browser is in HTTP and then its gets redirected to HTTPS. This can be exploited and hacker can redirect the traffic at this stage. To avoid this Firefox and chrome maintain a list of HSTS websites. When a request is made the domain is checked with the pre-defined list and if website is part of it, the request is made using HTTPS from the beginning. We can request our website added to these pre-loaded domain lists.

More information/list of these predefined websites can be found as per below:

Google Chrome:https://www.chromium.org/hsts

Mozilla Firefox:https://hg.mozilla.org/mozilla-central/raw-file/tip/security/manager/ssl/nsSTSPreloadList.inc

Limitations:

1). Initial request is still in HTTP and susceptible to attack. Although the pre-load list is there it is for selected browser and all web clients may not be able to support this feature.

2.) Does not provide safety from TLS based attacks

3.) It only ensures the secure connection with the website, if domain/website is malicious, it will not provide any protection against it.

For more details on HSTS header following reference links can be visited:

Reference Links:

https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security

A good way to know more about it is via OWASP cheatsheet:

https://github.com/OWASP/CheatSheetSeries

Providing few more links on how to enable HSTS on different web servers. The options and settings provided by each web-server are different. We discussed only the basic syntax of the protocol:

  1. TOMCAT:https://tomcat.apache.org/tomcat-8.0-doc/config/filter.html#HTTP_Header_Security_Filter
  2. IIS:https://docs.microsoft.com/en-us/iis/get-started/whats-new-in-iis-10-version-1709/iis-10-version-1709-hsts
  3. Ngix:https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/