fir3net

What is HTTP Strict Transport Security (HSTS) ?

HTTP Strict Transport Security (HSTS) is a security policy based on RFC9767 designed to protect domains against both downgrade and passive network attacks. HSTS achieves this by,

  • Transforming all insecure (HTTP) based links to HTTPS links. 
  • Allowing the browser to terminate the connection should it observe any certificate warnings or errors with the domains certificate.

Strict-Transport-Security Header

HSTS operates by a Strict-Transport-Security HTTP response header being sent to the browser from the webserver. Once the browser receives this header the HSTS policy is applied for the domain(s) and all further requests are made over HTTPS.

There are 3 components to the Strict-Transport-Security header. They are,

  • max-age - The period (in seconds) the browser will apply the HSTS policy for once the initial STS header is received by the browser.
  • includeSubdomains (optional) - This is a valueless option that enables the HSTS policy on all further subdomains.
  • preload (optional ) - Browsers can hardset a list of domains that the HSTS policy is applied to. This header allows the webserver to confirm and authenticate its submission to the preload list.

Within the browser a list is created containing each of the domains the HSTS policy is applied against. Each entry contains an expiry time which is updated (with the max-age) each time the Strict-Transport-Security header is received.

Browsers Support

For details of browser support please click here

Reference

Tags: SSL, HTTP, TLS, HTTPS, HSTS

About the Author

RDonato

R Donato

Ricky Donato is the Founder and Chief Editor of Fir3net.com. He currently works as a Principal Network Security Engineer and has a keen interest in automation and the cloud.

You can find Ricky on Twitter @f3lix001