HTTP Strict Transport Security (HSTS) is a web security policy mechanism which helps to protect websites against protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers (or other complying user agents) should only interact with it using secure HTTPS connections, and never via the insecure HTTP protocol.
The HSTS Policy is communicated by the server to the user agent via an HTTP response header field named “Strict-Transport-Security“. HSTS Policy specifies a period of time during which the user agent should only access the server in a secure fashion.
How HSTS works?
- You must first add the HSTS response header to the server.
- Enabling HSTS on a server involves adding the following HSTS response header in an HTTPS reply:
Strict-Transport-Security: max-age=expireTime [; includeSubdomains] - For example:
Strict-Transport-Security: max-age=16070400; includeSubDomains
- The minimum parameter is the max-age in seconds. This specifies the time the browser should connect to the server using the HTTPS connection. However, it’s recommended to include the subdirectories so that the browser uses the HTTPS connection for existing and future subdomains.
- Enabling HSTS on a server involves adding the following HSTS response header in an HTTPS reply:
- When the browser accesses the website, the server replies with the HSTS header.
- This instructs the browser to only connect to the server and the entire domain through HTTPS. The browser will then remember to use the HTTPS connection for the specified max-age.
- Even if a user types http://www.domain.com, types the domain name without http, uses a bookmark, or a third party HTTP link, the browser will automatically upgrade the request to HTTPS. Once the max-age expires, the browser starts accessing the server through HTTP unless the user specifies HTTPS.
- After receiving the HSTS header, the browser sends an HTTPS request.
- HSTS is supported by most browsers. Chrome and Mozilla Firefox maintain an HSTS preload list that automatically informs the browser that the website can only be accessed through HTTPS. A webmaster can add a website to the preloaded HSTS list by adding the “preload” parameter to the header and then submitting the domain to the list.
- For example:
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload