What is Http Strict Transport Security (HSTS)?

HTTP Strict Transport Security (HSTS) is a mechanism that helps shield websites against attacks such as cookie hijacking & downgrade attacks. It enables browsers and complying user agents to interact automatically with web resources using HTTPS over TLS/SSL. User-Agents are needed to send secure cookies to a host only over a secure transport layer. 

In a secure interaction, if any issues arise with the secure connection establishment, the user-agent will flag these issues to the users. Still, user-agents often prompt users to continue interacting with the web resources. This introduces a vulnerability known as click-through insecurity that leads to the leaking of cookies the web resource is utilizing to manage a particular session. To prevent this vulnerability, HSTS was introduced; instead of using a cookie to convey the policy from a web resource's host to the user-agent, it would define an HTTP response header field. A web resource's host could also declare its policy to apply to the entire domain name subtree rooted at its host name. Therefore, HSTS was spread across all subdomains of the given web resource's host name. 

An effective HSTS policy allows user-agents to transform insecure URI references to an HSTS Host into secure URI references before de-referencing them. The User-agent also terminates any secure transport connection attempts upon any secure transport errors or warnings. 

Usecase: 

You step into your favorite cafe to grab a cup of coffee and get a text from your landlord "Hey, your rent for this month is due." You immediately open your laptop and connect to the free wifi offered by the cafe to pay the rent. Unfortunately, a hacker is accessing the same free wifi access point, trying to intercept user HTTP traffic, redirecting users to a fake clone banking site, and capturing your private, confidential data. HSTS, in this case, will protect you against such a man-in-the-middle attack. As long as you have accessed your bank's website using HTTPS and the bank's website uses Strict Transport Security, the browser will automatically use only HTTPS, preventing the hacker from performing the attack. 

When a site is accessed using HTTPS, it returns the `Strict-Transport-Security` header. The browser records this information, and future attempts to load the site via HTTP will automatically use HTTPS. `Strict-Transport-Security` headers specify an expiration time, when the expiration time elapses, the next time the site loads, HTTP will proceed as usual instead of automatically using HTTPS. 

Strict-Transport-Security: max-age=63072000;
includeSubDomains

#time-limit of 2 years

Core Requirements for HSTS to work efficiently: 

  1. Websites should declare to User Agents that they should be accessed using a strict security policy.

  2. Websites must be able to instruct User-Agents that interact with them securely.

  3. User-Agents must retain persistent data about websites that signal strict security policy enablement for periods declared by the websites. Additionally, User-Agents must cache the "freshest" strict security policy information to allow websites to update the information.

  4. User-Agents must rewrite all insecure UA "HTTP" URI loads to use the "HTTPS" secure scheme to the websites for which secure policy is enabled.

  5. Website admins should signal strict security policy application to subdomains of higher-level domains for which strict security policy is enabled, and User-Agents need to enforce this policy. For example, both healthybyte.net and security.healthybyte.net could set a policy for help.security.healthybyte.net.

  6. User-Agents should disallow security policy applications to peer and higher-level domains by fields for which strict security policy is enabled.

  7. User-Agents should prevent users from "clicking through" security warnings.

Previous
Previous

Email security monitoring best practices

Next
Next

The Uber data breach summary