HTTP Strict Transport Security

> > HTTP strict transport security (HSTS)

Created: October 8th 2015

What is HSTS?

  • HSTS is an acronym for HTTP Strict Transport Security
  • It is a security enhancement which ensures only secure pages from your domain are shown by a browser
  • Automatically redirects HTTP requests to HTTPS for the target domain
  • Does not allow a user to override the invalid certificate message
  • Enabled through the use of a special response header
  • Can be preloaded via browsers by listing your domain
non secure pages not allowed by browser

Once properly implemented, HSTS will not allow unsecure versions of pages from your domain to be visited.

Any attempt by visitors to use the unsecure version (http://) of a page will be forwarded automatically to the secure version (https://).

It is basically like a 301 redirect, but at the browser level, rather than the webpage level. It is superior to a 301 redirect as it can be implemented to always only use https, whereas 301 redirects are actually unsecure when first seen by a browser.




How to implement HSTS

To fully implement HSTS to be secure requires two general steps:

  • Enable HSTS on your server
  • Ensure HSTS is preloaded

How to enable HSTS

  1. Decide what settings are appropriate for your site
  2. Add the "Strict-Transport-Security" response header

1. Decide your settings

The header you will set to enable HSTS has some variables that are very important.

The goal of this article is to describe how to fully implement HSTS. In order to do so we must be able to be included in a "preload list" maintained by Google and used by other browsers.

In order to be included on those lists certain conditions must be met. These conditions may or may not be appropriate for your site. Here are three example scenarios:

Simplest setting / least secure:

Strict-Transport-Security: max-age=10886400

The above example is the most simple version of this header.

  • Simplest setting / least secure
  • Does not affect subdomains
  • Not able to be included in preload lists

This header will enable HSTS, but it should be noted that these setting are not strong enough to allow you to be included in the preloading lists maintained by Google. If you are not included in preloading lists, your site will not be fully secure, as first time traffic to your site will still be able to use unsecure http.

More secure - ensures subdomains will be HTTPS:

Strict-Transport-Security: max-age=10886400; includeSubDomains

The above example is a more secure version of this header.

  • Moderate setting / more secure
  • Subdomains will be HSTS too
  • Not able to be included in preload lists

This header will enable HSTS and will include all subdomains, however this is still not enough to allow you to be included in the preloading lists maintained by Google.

Most secure - Recommended setting:

Strict-Transport-Security: max-age=10886400; includeSubDomains; preload

The above example is a most secure version of this header. Recommended.

  • Most secure
  • Subdomains will be HSTS too
  • Can be included in preload lists

This header can be included in the preloading lists maintained by Google.

Variables

  • Strict-Transport-Security: - the header declaration
  • max-age= - amount of time in seconds the header should stay alive
  • includeSubDomains - this states to require HSTS on all subdomains
  • preload - this gives your authorization to be included in preload lists

Once you know the settings you require you can add the header...

2. Adding the Strict-Transport-Security header to enable HSTS

The Strict-Transport-Security header is added the same way any header is added. Here are some common scenarios:

Enable HSTS using .htaccess

If you are using the .htaccess file for your configurations, HSTS can be added by using the following code:

<IfModule mod_headers.c>
Header set Strict-Transport-Security "max-age=10886400; includeSubDomains; preload"
</IfModule>

Important!: The above code is the most secure and has all required elements needed to be included in the HSTS preload list. This recommended setting will be used in all further examples.

Enable HSTS in Apache

Should be added to virtualhost listening for ssl (<VirtualHost xx.xx.xxx.xx:443>)

Header always set Strict-Transport-Security "max-age=10886400; includeSubdomains; preload"

Enable HSTS in NGINX

Should be added to server block listening for ssl (server {listen 443.....})

add_header Strict-Transport-Security "max-age=10886400; includeSubdomains; preload"

Enable HSTS in IIS

HSTS has been implemented, per the specification, as an open source IIS module.

Enable HSTS in Litespeed

Enabling HSTS can be achieved using the .htacess or Apache config discribed above. To enable it in the native Litespeed config, please see this article.

Ensure HSTS is preloaded

After HSTS is enabled on your site, you will need to get on the preload list maintained by Chrome (this list is also used by other browsers).

Doing so will mean that even first time visitors to your site will be forced to your secure pages. If you are not on a preload list, your site will still not be secure from man in the middle attacks.

How to get listed on the HSTS preload list

  1. Make sure you meet the requirements
  2. Enter your domain into the preload list
  3. Wait

1. Meet the requirements

Assuming you have a valid certificate, if you used the recommended configurations above, you will likely meet the requirements. The stated requirements are:

  • Have a valid certificate.
  • Redirect all HTTP traffic to HTTPS—i.e. be HTTPS only.
  • Serve all subdomains over HTTPS, specifically including the www subdomain if a DNS record for that subdomain exists.
  • Serve an HSTS header on the base domain
  • Expiry must be at least eighteen weeks (10886400 seconds).
  • The includeSubdomains token must be specified.
  • The preload token must be specified.
  • If you are serving a redirect, that redirect must have the HSTS header, not the page it redirects to.

2. Enter your domain into list

Go to the preload list and enter your domain.

Once you do you will receive different responces depending on your scenario. If you do not meet the requirements, it will tell you. If you do meet tham, it will tell you that too.

After it accepts your domain name, you can check back to see the status of your domain.

3. Wait

Getting on the list is a long process, expect weeks to get accepted, and then months to get live to the latest versions of Chrome / Firefox.

Planning ahead

If you are planning to launch a site or change your domain in the next several months, start this process on that domain now.






Patrick Sexton by