HSTS is a web security response header. The name is an acronym for “HTTP Strict Transport Security”. The function of the HSTS header is to force browsers to connect to websites using HTTPS.
Tip: HTTPS uses encryption to secure your web connection from hackers trying to modify or monitor it. HTTP doesn’t have these protections and so a hacker in the right place could monitor and modify your HTTP traffic.
A web response header is a piece of meta-data sent by the server when it responds to web requests. A subset of these headers are often referred to as security headers as their purpose is to increase the security of the website and user.
The HSTS header has two mandatory parts and two optional. The header name “Strict-Transport-Security” and then the “max-age” operator and value are both mandatory. Another pair of operators, “includeSubDomains” and “preload” are also sometimes used.
When the browser receives an HTTPS response with the HSTS header it is instructed to connect to this website and all resources on it, exclusively using HTTPS for the duration of the “max-age” timer. “Max-age” is a variable that describes how long a setting must be remembered by the browser. The value of “max-age” is listed in seconds, the recommended value is “31536000”, which is one year.
The idea is that within the duration of this timer, which is reset with each subsequent page load, the browser will require an HTTPS connection and reject any HTTP resources. This protects against person-in-the-middle attacks, where a hacker between you and the webserver can manipulate the responses you receive.
The main point at which this protects you is the first connection. Typically, when you connect to a website, you may request the HTTP website, and then get forwarded to the HTTPS website. Unfortunately, a hacker in a person-in-the-middle position could prevent this upgrade to HTTPS and could then steal or monitor your activity on the website. Once the HSTS header has been seen by the browser, however, your browser will make even the first connection over HTTPS, protecting you from hackers.
HSTS also prevents any insecure resources from being loaded which could also be maliciously modified by an attacker if they were delivered over HTTP.
The “includeSubDomains” operator is used to indicate that the header should also apply to all subdomains of the website.
The HSTS preload list
You may notice that HSTS still doesn’t protect you the very first time you connect to a website. This is where the “preload” operator comes in. Websites can submit themselves to be included in the HSTS preload list, the “preload” operator is a required indicator if this is the case. The HSTS preload list is regularly updated and stored in the browser, if a site is included in that then the browser will apply the HSTS protections to it. This happens even on the very first connection before the browser could ever have seen the HSTS response header.
Tip: A “max-age” of a year or more is required to be added to the HSTS preload list.
Issues with HSTS
One of the main points of HSTS is that it presents an error message if there are any issues with the HTTPS connection. As an extra security precaution, users are not supposed to be able to bypass HSTS error messages, as they would be able to with normal HTTPS errors.
Unfortunately, this can cause issues if a company rolls out HSTS before the entire website, and every resource used on it, supports HTTPS. In this case, users will start to see HSTS security error messages that they can’t bypass, essentially completely breaking the website. The worst part is, that simply removing the HSTS header doesn’t fix the issue for those users, as their browser will continue to enforce HSTS for the potentially months-long “max-age”.
As such it is critically important that a short “max-age” is used when first deploying the header. If there are any issues, then they only persist for a short time once discovered. Only once you’re confident that your website is completely HSTS compliant should you configure a long HSTS timer.
Tip: It’s also possible to set a “max-age” of 0, this essentially removes the saved HSTS entry from anyone that sees it. This can help if there’s an issue, but it will only affect users when and if they decide to try again.