HTTP Strict Transport Security

HTTP Strict Transport Security (HSTS) is a system put in place that guarantees all interactions between a client and a specific website are done using the HTTPS protocol.

The HSTS mechanism exists to protect users against certain types of malicious behavior, such as a protocol downgrade attack. This type of attack occurs mid-session, where a connection is converted from secure HTTPS to plain HTTP. If a server does this, the user can see the protocol change but may not necessarily become suspicious. One reason is that an insecure HTTP connection may be allowed, although the user will have no way of knowing this for certain. Implementing HSTS ensures that this cannot happen.

The relationship between a client and server is established during the client’s first visit to the site. This is known as the principle of Trust on First Use (TOFU). After establishing a relationship, when an [Strict-Transport-Security|HTTP HSTS header] is sent over an HTTP connection, the header is ignored. However, an attack can be successful if the [Strict-Transport-Security|HTTP HSTS header] can be removed during the client’s first visit to the site. To help mitigate this problem, internet browsers such as Google Chrome, Microsoft Edge and Mozilla Firefox include a list of hard-coded HSTS sites. These are referred to as pre-loaded domains.

Pre-loaded domains

By including a list of HSTS sites in the browser, it guarantees that even the user’s first visit to the site will be secure, and thus, an attacker cannot remove the [Strict-Transport-Security|HTTP HSTS headers] and downgrade the protocol. HTTP Requests to be included in the preload list can be made using the official form.

Note

Submissions to the preload list are on domain level, not subdomain level. In addition, there are several top level domains (TLD), for example .DEV and .APP, which are preloaded on a TLD level and can not be excluded from preloading. Any content served on these preloaded TLDs has to be served from HTTPS.

Unaddressed concerns

Although HSTS generally protects users, it is a one-fit-all solution. For example, HSTS cannot prevent attacks against the underlying protocol, e.g. TLS. Similarly, if the server has been compromised then having a secure HTTP connection is inconsequential. This is a different class of man-in-the-middle attack. Finally, HSTS will not stop a DNS-based attack employed using a fictitious domain, provided that it is not in the hard-coded list.

Headers

The HTTP header used for HSTS is Strict-Transport-Security and it has several directives. The directives are not case sensitive and can be listed in any order, but can only appear once.

Directives

The valid directives for the Strict-Transport-Security are max-age, includeSubDomains, and preload.

  • max-age is a required directive that is used to specify the number of seconds that the HSTS policy remains in effect. If the value is zero “0” then it indicates that the HSTS policy shall be deleted.
  • includeSubDomains is an optional directive that does not require a value. When present, it indicates that the HSTS policy applies to all of the subdomains grouped under this host, in addition to the host itself.
  • preload is an optional directive that indicates the server is configured for HSTS preloading. Furthermore, it is either on the preload list or has applied to be on it.

Usage

When the client receives the HTTP Strict-Transport-Security header as part of a response then it must only use HTTPS to interact with the server for the next max-age seconds. Typically, the maximum age is either 3153600 seconds for one year, or 63072000 for two years.

Example

After a HTTP request is made, the server includes the [Strict-transport-security|HTTP HSTS header] in the HTTP response.

Strict-Transport-Security: max-age=3153600; includeSubDomains; preload

In this example, the server directs the client to communicate only using HTTPS for the next year. All of the subdomains also require HTTPS and the site meets the requirements for HSTS preloading.

Note

The [Strict-Transport-Security|HTTP HSTS header] is expected to be present on all HTTP responses, on HTTP and HTTPS, as well as all HTTP status codes.

Takeaway

HTTP Strict Transport Security (HSTS) is a mechanism used to ensure that interaction between endpoints is communicated securely, using HTTPS. It exists to prevent certain man-in-the-middle attacks. It relies on the Trust On First Use principle and to thwart attacks that attempt to exploit that, browsers support pre-loaded domains that only communicate using HTTPS.

Last updated: June 2, 2022