HSTS or HTTP Strict Transport Security is a protocol that can make it more difficult for attackers to modify or intercept traffic between a user and your website. Understanding what HSTS is and how it functions is crucial for anyone keen on protecting their site, as proper implementation can help to ensure that your website’s visitors are protected from attacks.
In this post, we’ll take a closer look at this feature, benefits and advantages to enabling it on your web server, and how to implement it in Apache, NGINX, and the Sucuri Firewall.
Contents:
HSTS stands for HTTP Strict Transport Security. It’s a web server directive that dictates browsers to only connect via HTTPS, ensuring a secure connection by default. This significantly minimizes the risk associated with the unencrypted HTTP connections, making it harder for attackers to exploit the connection.
HTTPS is a robust security protocol that encrypts data in transit, making it difficult to spy on malicious actors. However, due to a small technical issue, HTTPS may be vulnerable to man-in-the-middle attacks.
When a visitor types in your website address, their browser initially attempts to connect via HTTP and only switches to HTTPS after receiving a directive from your server. This brief moment of vulnerability, known as SSL stripping, is where attackers can swoop in and hijack the connection.
The following figure demonstrates an SSL stripping attack in action:
Here, the web server accepts only HTTPS requests. However, the browser is unaware about it, and hence it sends an HTTP request. The attackers hijack all HTTP traffic to their machines.
Once they receive the HTTP request they grab the request data and then repackage it into HTTPS request before sending it to the server.
Since the server does not have any identity of the sender, it responds back with the HTTPS response, which is again intercepted by the attackers to farm out data, and then the attackers convert that HTTPS request to HTTP before sending it to the original sender.
In this way, despite having an SSL certificate, both server and client are ignorant about the traffic interception going on somewhere in between.
When a website has HSTS enabled, it strictly instructs the browser saying, “Only connect to me via HTTPS“.
This instruction gets cached in the browser, so the next time the user visits the site, the browser skips the initial unsecured handshake and jumps straight to a secure HTTPS connection.
Let’s understand how it works with a diagram:
Now, if it was just a normal HTTPS website, this cycle will be repeated for every HTTP request sent by the user.
Once HSTS is enabled, the website instructs browsers to bypass the initial insecure HTTP connection altogether and jump straight to HTTPS.
The HSTS header is added to the HTTP response headers from your server with a syntax like so:
Strict-Transport-Security: max-age=<expire-time>; includeSubDomains; preload
Let’s dissect the components of this header.
This is the duration for which your website should be accessed exclusively over HTTPS. It’s specified in seconds. For instance, max-age=31536000 instructs the browser to access the site securely for the next 1 year (31,536,000 seconds).
When included, this option extends the HSTS policy to all subdomains of your website, ensuring comprehensive security. Without this option, only the exact domain specified in the HSTS header is protected.
This option is a consent from the site owner to be included in the HSTS preload list, which is a list of websites hardcoded into browsers as being HTTPS-only. However, before opting for preload, it’s vital to understand the implications and ensure that your site will remain available over HTTPS indefinitely.
Enabling HSTS on your web server is a proactive step towards bolstering the overall security of your website.
Follow these steps to enable HSTS for Apache:
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Follow these steps to enable HSTS for NGINX:
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"
Enabling HSTS in Sucuri Firewall takes just a couple of clicks and does not require any modification in the configuration files of your servers.
Testing whether HSTS (HTTP Strict Transport Security) is enabled and functioning correctly on your website is a vital step to ensure that your security configurations are in place. Here’s how you can go about it:
There are online tools such as the Qualys SSL Labs Server Test or the HSTS Preload Checker that you can use to test HSTS.
Simply enter your website URL, and these tools will provide you with a detailed analysis, including whether HSTS is enabled.
You can use the developer tools in your browser to check the headers returned by your website.
You can use the cURL command-line tool to check the headers of your website.
If HSTS is enabled, you’ll see a line starting with `Strict-Transport-Security`.
These methods provide a straightforward way to verify that HSTS is active and configured properly, ensuring that your website maintains a secure environment for its visitors.
Remember, a properly configured HSTS setup is a strong statement of your commitment to website security.
Though it’s a rare necessity, there could be instances where disabling HSTS (particularly in Chrome) becomes essential.
Here are the steps you can use to disable HSTS in Chrome:
Enter Domain: Scroll down to the ‘Delete domain’ section, type in the domain name you wish to clear HSTS for, and hit the ‘Delete‘ button.
There are a number of clear advantages to using HTTP Strict Transport Security. HSTS doesn’t wait for the initial insecure handshake to happen. Instead, it instructs browsers to directly establish a secure connection, leaving no window for SSL Stripping to intercept.
Browsers remember the HSTS instruction from previous visits. So, even if a user manually types in an HTTP address or clicks on an HTTP link, the browser knows to override that and use HTTPS instead.
HSTS can be configured to secure all subdomains as well without any additional configuration. Some websites go a step further and enlist in HSTS Preload lists. This is a list of websites known to require HTTPS, and modern browsers come pre-loaded with these lists, ensuring that the first-ever connection to the site is secure, closing the loophole that attackers could exploit.
And while HSTS enhances website security, it’s also important to be aware of its limitations. HSTS can tag browsers with identifiable information from super cookies when visiting an HSTS-enabled website, posing privacy concerns as this information can persist even in privacy modes and be used to identify visitors across different domains.
Additionally, HSTS doesn’t prevent DNS-based attacks, where attackers utilize misleading or artificial domains not on the HSTS Preload list. HSTS is also ineffective against advanced attacks targeting the Transport Layer Security (TLS) protocol, such as the BEAST or CRIME attacks.
In summary, HTTP Strict Transport Security (HSTS) is a critical protocol that enhances your website’s security and safeguards your site’s visitors.
Understanding how it works and correctly implementing it on your web server, be it via Apache, NGINX, or from Sucuri Firewall, can significantly boost your website security.
Despite its advantages, it’s important to be aware of HSTS limitations and take additional measures to address them. Testing your HSTS setup and ensuring its proper configuration is crucial.