You may have made sure that your websites have SSL enabled, and the pretty security padlock in your browser is green. However, you may have forgotten about HTTP’s little security man, HTTP Strict Transport Security (HSTS).
What is HSTS, and how can it help keep your site secure?
What Is HTTPS?
Hyper Text Transfer Protocol Secure (HTTPS) is a secured version of a website (HTTP). The encryption is enabled using the Secure Sockets Layer (SSL) protocol and is validated with an SSL certificate. When you connect to an HTTPS website, the information transferred between the website and the user is encrypted.
This encryption helps protect you against data theft through Man-in-the-Middle-Attacks (MITM). The added layer of security also slightly helps improve the reputation of your website. In fact, adding an SSL certificate is so easy, that many web hosts will add it to your site by default, for free! That said, HTTPS still has some flaws that HSTS can help fix.
What Is HSTS?
HSTS is a response header that informs a browser that enabled websites can only be accessed via HTTPS. This forces your browser to only being able to access the HTTPS version of the website and any resources on it.
You may not be aware that even though you have set up your SSL certificate correctly and enabled HTTPS for your website, that the HTTP version is still available. This is true even if you have set up forwarding using 301 Permanent Redirection.
Although the HSTS policy has been around for a little while, it was only formally rolled out by Google in July 2016. Which may be why you haven’t heard of it much yet.
Enabling HSTS will stop SSL protocol attacks and cookie hijacking, two additional vulnerabilities in SSL-enabled websites. And in addition to making a website more secure, HSTS will make sites load quicker by removing a step in the loading procedure.
What Is SSL Stripping?
Although HTTPS is a huge improvement from HTTP, it’s not invulnerable to being hacked. SSL stripping is a very common MITM hack for websites that uses redirection to send users from an HTTP to the HTTPS version of their website.
301 (permanent) and 302 (temporary) redirect basically works like this:
- A user types google.com in their browser’s address bar.
- The browser initially tries to load http://google.com as the default.
- “Google.com” is set up with a 301 permanent redirect to https://google.com.
- The browser sees the redirect and loads https://google.com instead.
With SSL stripping, the hacker can use the time between step 3 and step 4 to block the redirect request and stop the browser from loading the secure (HTTPS) version of the website. As you are then accessing an unencrypted version of the website, any data you enter can be stolen.
The hacker can also redirect you to a copy of the website you are trying to access, and capture all of your data as you enter it, even if it looks secure.
Google has implemented steps in Chrome to stop some types of redirection. However, enabling HSTS should be something you do by default for all of your websites from now on.
How Does Enabling HSTS Stop SSL Stripping?
Enabling HSTS forces the browser to load the secure version of a website, and ignores any redirect and any other call to open an HTTP connection. This closes the redirection vulnerability that exists with a 301 and 302 redirect.
There is a negative side even to HSTS, and that is that a user’s browser has to see the HSTS header at least once before it can take advantage of it for future visits. This means that they will have to go through the HTTP > HTTPS process at least once, leaving them vulnerable the first time they visit an HSTS-enabled website.
To combat this, Chrome preloads a list of websites that have HSTS enabled. Users can submit HSTS-enabled websites to the preload list themselves if they fit the required (simple) criteria.
Websites added to this list will be hardcoded into future versions of Chrome updates. It makes sure that everyone who visits your HSTS enabled websites in updated versions of Chrome will stay secure.
Firefox, Opera, Safari and Internet Explorer have their own HSTS preload list, but they are based on the Chrome list on hstspreload.org.
How to Enable HSTS on Your Website
To enable HSTS on your website you first need to have a valid SSL certificate. If you enable HSTS without one, your site will be unavailable to any visitor, so make sure your website and any subdomains are working over HTTPS before continuing.
Enabling HSTS is pretty easy. You simply need to add a header to the .htaccess file on your site. The header you need to add is:
Strict-Transport-Security: max-age=31536000; includeSubDomains
This adds a one year max age access cookie (what is a cookie?), which includes your website, and any subdomains. Once a browser has accessed the website, it’ll be unable to access the unsecured HTTP version of the website for a year. Make sure that all of the subdomains on this domain are included in the SSL certificate, and have HTTPS enabled. If you forget this, the subdomains won’t be accessible after you save the .htaccess file.
Websites that are missing the includeSubDomains option can expose visitors to privacy leaks by allowing subdomains to manipulate cookies. With includeSubDomains enabled, these cookie-related attacks won’t be possible.
Note: Before adding the one-year max-age, test your entire website with five-minute max-age first using: max-age=300;
Google even recommends that you test your website and its performance (traffic) with a one week, and one month value as well before implementing a two-year max-age.
Five minutes: Strict-Transport-Security: max-age=300; includeSubDomains One week: Strict-Transport-Security: max-age=604800; includeSubDomains One month: Strict-Transport-Security: max-age=2592000; includeSubDomains
Making the HSTS Preload List
By now you should be familiar with HSTS and why it is important for your site to use it. Keeping your website visitors safe online should be a key element of your site plan.
To be eligible for the HSTS preload list that Chrome and other browsers use, your website has to meet the following requirements:
- Serve a valid SSL certificate.
- Redirect from HTTP to HTTPS on the same host, if you are listening on port 80.
- Serve all subdomains over HTTPS. In particular, you must support HTTPS for the www.subdomain if a DNS record for that subdomain exists.
- Serve an HSTS header on the base domain for HTTPS requests:
- The max-age must be at least 31536000 seconds (1 year).
- The includeSubDomains directive must be specified.
- The preload directive must be specified.
- If you are serving an additional redirect from your HTTPS site, that redirect must still have the HSTS header (rather than the page it redirects to).
If you want to add your website to the HSTS preload list, make sure you add the required preload tag. The “preload” option signifies that you want your website to be added to Chrome’s HSTS preload list. The response header in .htaccess should then look like this:
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
We recommend that you add your website to the hstspreload.org. The requirements are pretty easy to meet, and it’ll help protect your website’s visitors, and potentially improve your website’s search engine ranking.