What HTTP Strict Transport Security (HSTS) and How to Implement it?

A Deep Dive into HTTP Strict Transport Security (HSTS) and Quick Guide to Implement it Using the Best Practices

HTTP Strict Transport Security (HSTS) is a security feature that forces browsers to access a website only through a secure HTTPS connection. This feature is implemented through an HTTP response header called the Strict-Transport-Security.

Defined in RFC 6797, HSTS secures websites from several security threats, including man-in-the-middle (MITM) and SSL Stripping attacks by enforcing secure connections. Whenever a web server makes use of this header within the HTTPS responses, it instructs the web browser for loading the website using only secure HTTPS connections for a specified time.

HSTS prevents the risk of downgrading attacks, where attackers attempt to force users to connect via HTTP instead of HTTPS. It aligns with broader internet security guidelines maintained by organizations like the Internet Engineering Steering Group (IESG). It protects important data like passwords or payment details from interception during data transmission.

The HSTS header includes two directives:

1. max-age: It’s used for defining the time (in seconds) for which the web browser will enforce this policy of loading the website strictly on HTTPS.
2. includeSubDomains: It’s an optional directive used for applying HTTP Strict Transport Security (HSTS) policy on all the sub-domains of the website.

Why Should I Implement HSTS in eCommerce Website?

HSTS mitigates multiple security vulnerabilities and threats that can expose websites and users to attacks. By enforcing HTTPS-only connections, it strengthens website security and enhances user trust. Here are some key security threats that HSTS helps prevent:

1. Prevent SSL Stripping

   Attackers intercept and downgrade HTTPS connections to HTTP, tricking users into sending sensitive data over an unencrypted channel. Once a browser receives an HSTS header, it automatically upgrades all future HTTP requests to HTTPS, blocking SSL stripping attacks for the duration of the max-age setting.

2. Eliminate Browser Security Warnings

   It eliminates security warnings, promotes trust, and encourages users to interact confidently with the website, especially during sensitive activities like signing up, logging in, and making purchases. By enforcing HTTPS, HSTS ensures that user credentials and payment details remain protected from interception or manipulation.

3. Fix Non-Secure Content

   Mixed content (loading HTTP elements on an HTTPS page) weakens encryption and exposes users to attacks. HSTS blocks all HTTP content, ensuring the website and its resources (e.g., images, scripts, stylesheets) are loaded securely over HTTPS.

HTTP Strict Transport Security (HSTS) – How Does It Work?

When you manually enter a URL www.example.com into your browser, by default it opens with HTTP (the unsecured version) unless you specifically type HTTPS, or the website automatically redirects you to a secure connection.

If the site does not have HSTS preloading, the server first issues a 301 redirect to switch to HTTPS. Once the site is accessed over HTTPS, the browser receives the HSTS header and enforces HTTPS for future visits.

Once the browser connects over HTTPS, the server sends an HSTS header:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

The HSTS header instructs browsers to use HTTPS protocol for all future website and subdomain requests over the next 31,536,000 seconds i.e. 1 year. When a browser detects an HTTP link, it immediately switches the connection to HTTPS. If HTTPS becomes unavailable, HSTS blocks access entirely, preventing any insecure fallback to HTTP.

Without HSTS, browsers could allow users to bypass alert messages for invalid, expired, or self-signed certificates. But with HSTS, the browser enforces strict rules without any exceptions. If there’s a TLS/SSL certificate problem, the connection is cut off, and the user can’t proceed unless the site is removed from the browser’s HSTS list.

In short, HSTS verifies every interaction with the site over HTTPS, reducing risks like accidental HTTP connections or protocol downgrade attacks. It’s a powerful security header tool, but misconfigurations can lock users out, so careful setup is crucial.

The HTTP Strict-Transport-Security header applies only to domains for which it’s sent. For example, sends the header, it will not automatically apply to ssl2buy.com unless the base domain also includes the HSTS header. Therefore, for complete security, the base domain (e.g., ssl2buy.com) should also receive the HSTS header with the includeSubDomains directive.

Key Security Benefits of Implementing HSTS

Web sites having partial or no SSL at all, having non-secured as well as secured contents are prone to security threats. Employing HSTS not only aids to the security but also provides an invisible cover securing from the attacks caused due to the loopholes in SSL installation in following ways:

Make all the links HTTP to HTTPS

A directive named “includeSubdomains” makes secure the entire browser requests that link to the website including the subdomains. This specialty solves the problem caused due to the partial invocation of SSL and from the mixed content, which uses HTTP links for some scripts and images.

Abolishment of unsecured connections

Many users prefer ignoring the security warnings. Having HSTS in store, communication is automatically stopped even if the user has avoided the warning and hence decreasing the range of potential attacks.

Applying limitations to the ‘secure environment’

Enhances the confidence of the website owners by availing the website in secure mode only.

Defense against Cookie Forcing

Cookie forcing attack is a type of MITM attack and with HSTS, there is “includeSubdomains” mode that saves the browser against such type of attack.

Converting unsecured URL references

Enforce replacement of HTTP with HTTPS in any of the URLs. If a user or script mistakenly references an HTTP link, HSTS instructs the browser to switch it to HTTPS. The connection remains encrypted and secure, and it avoids unintentional protocol downgrades that could expose sensitive data.

Steps to Implement HSTS on Your Web Server

We discussed issues solved by HTTP Strict Transport Security (HSTS), its working, and its benefits. Now, let’s go through the steps to implement HSTS on your web server. Below is the five step process to implement the same.

Step 1: Move a Website from HTTP to HTTPS using SSL Certificate

Before configuring HSTS, make sure your website is completely operating on HTTPS. To make it work using HTTPS, you need to:

1. Get an SSL/TLS certificate from a reputed certificate authority.
2. Once issued, install your purchased SSL certificate on the web server.
3. Configure your server to redirect traffic through HTTPS.
4. Make sure HTTPS is implemented for all internal links.
5. Lastly, verify all the external resources, such as script & images, are also loaded using HTTPS.

Step 2: Adding HSTS Header on Apache, Nginx, and IIS Server

Test configuration, by setting up the HSTS header alongside a short max-age value. For instance, add max-age=300 (5 minutes).

Method – 1. For Apache Server

Add the following to your web server configuration or .htaccess file:

Header always set Strict-Transport-Security “max-age=300; includeSubDomains; preload”

Method – 2. For Nginx Server

Add to your server block within the Nginx configuration:

add_header Strict-Transport-Security "max-age=300; includeSubDomains; preload" always;

Method – 3. For IIS Server

Add this to the web.config file of the IIS server:

<system.webServer>
  <httpProtocol>
    <customHeaders>
      <add name="Strict-Transport-Security" value="max-age=300; includeSubDomains; preload"/>
    </customHeaders>
  </httpProtocol>
</system.webServer>

Step 3: Testing HSTS Policy Implementation

Once the header is added, you need to test that implementation.

1. Use Available Online Tools

   Use online tools like OWSAP.org to verify the HSTS header and make sure it’s working correctly.

2. Developer Tools of Browser

   1. Visit your site in a browser like Google Chrome or Mozilla Firefox.
   2. Press F12 and it’ll open the Developer Tools.
   3. Locate and go to the Network tab.
   4. Refresh the opened web page and select the initial request (it’s your domain).
   5. Under the Headers section find the Strict-Transport-Security header and confirm it’s sent.

3. Testing HSTS Enforcement

   1. Try to open your website using http:// and make sure it’s automatically redirecting to https://.
   2. Make sure subdomains are secure if you’ve included the directive includeSubDomains.

Step 4: Increase the Value of max-age

Once it’s confirmed that HSTS implementation is working correctly using a short max-age, you can now increase the value to a longer duration—for instance, one year (max-age=31536000).

Method – 1. For Apache

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

Method –2. For Nginx

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

Method – 3. For IIS

<system.webServer>
  <httpProtocol>
    <customHeaders>
      <add name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains; preload"/>
    </customHeaders>
  </httpProtocol>
</system.webServer>

Step 5: Go for HSTS Preloading

HSTS preloading is like an additional security layer as it includes your domain into the HSTS-enabled websites list, as it gets hardcoded into browsers. For preloading website:

1. Make sure the HSTS header includes the preload directive.
2. Visit the HSTS Preload List Submission website.
3. Enter your website and follow the process of submission.

Best Practices to Follow While Implementing HSTS Header

Below are some of the points that you should consider and practice for implementing HSTS (HTTP Strict Transport Security).

1. Start with a Low max-age Value

   Initially, go for a lower value like max-age=300. Later you can increase it once it’s confirmed that everything is working correctly. It prevents site visitors from being locked out due to misconfiguration.

2. Be Careful in Using includeSubDomains

   Before you go with this option, make sure all your subdomains are ready to use HTTPS.

3. Deploy Policy for Top-Level Domains

   HSTS hosts should declare policy at their top-level domains. A valid HSTS header for preloading, in this case:

   Strict-Transport-Security: max-age=31536000; includeSubdomains; preload

4. Monitor Regularly

   Monitor HTTPS configuration on a regular basis to make sure your certificates are valid & correctly installed.

5. Implement Policy for Parent Domain

   It is crucial to apply the policy for https://domain.gov but not for https://www.domain.gov. This will guarantee that HSTS for the parent domain is set up to secure users against cookie injection attempts by MITM attackers.

HSTS Challenges & Their Solutions

Many have questions like “Are there any issues with HTTP Strict Transport Security (HSTS)?” In most cases, there are no issues but sometimes you may come across particular challenges. However, solutions are also available. Hence, let’s look into it.

1. Mixed Content Issues

   Challenge: Some of the URLs may load using HTTP.

   Solution: Make use of CSP (Content Security Policy) within headers. It’ll detect and report if there’s any mixed content.

2. Expiration of Certificate

   Challenge: Expired SSL certificates can lock your site users because of the HSTS policies.

   Solution: Monitor SSL certificate expiry and implement automated SSL certificate renewal before it expires to prevent outages.

3. Development & Testing Environments

   Challenge: After implementing HSTS, it can become complicated to use development environments that don’t have HTTPS.

   Solution: Keep separate domains for staging & development, as you can keep HSTS disabled.

4. Complications of Reverse Proxy

   Challenge: HSTS headers may fail to propagate correctly from setups of some reverse proxy.

   Solution: Confirm that your reverse proxy is configured to manage HSTS headers correctly.

Conclusion

HTTP Strict Transport Security (HSTS) is an important technique used for applying HTTPS connections on websites and keeping site visitors & sites safe from cyber threats. By making use of the header Strict-Transport-Security, HSTS guarantees constant encryption while securing against attacks like man-in-the-middle.

Further, implementing HSTS needs configuration & planning. But, HSTS is still recommended, as it provides robust security & enhanced trust.