HTTP Strict Transport Security (HSTS) is a web security policy mechanism that helps to protect websites against protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers (or other complying user agents) should only interact with it using secure HTTPS connections, never through the insecure HTTP protocol. By enforcing this rule directly in the browser, HSTS eliminates the risk of initial connection over HTTP, effectively preventing man-in-the-middle attacks that rely on redirecting or tricking the user agent.
How the Strict-Transport-Security Header Works
When a browser makes an HTTPS request to a server that includes the Strict-Transport-Security header, it receives a set of directives that dictate future behavior. The core of this header is the max-age directive, which specifies the duration—in seconds—that the browser should remember to only access the site via HTTPS. For example, a value of max-age=31536000 instructs the browser to enforce this policy for one year. During this period, any attempt to load the site via HTTP will be automatically converted to HTTPS without making an insecure request first.
Preload Directives and Browser Lists
Beyond basic enforcement, the includeSubDomains directive extends the policy to all subdomains of the site, ensuring that every part of the domain benefits from the secure treatment. The most significant feature, however, is the preload directive, which submits the domain to a hardcoded list within web browsers. Once a site is on this list, the browser will refuse to connect via HTTP even before receiving the header, providing protection right from the first visit. Major browsers maintain these preload lists, and submission requires strict adherence to their guidelines to avoid accidental denial of service.
Protection Against SSL Stripping and User Error
One of the primary threats HSTS addresses is the SSL stripping attack. In this scenario, an attacker intercepts an initial HTTP request and removes or modifies the redirect to HTTPS, keeping the user on an insecure connection. Because HSTS eliminates the initial HTTP request entirely, this type of downgrade becomes impossible. Furthermore, it protects against user error, such as clicking "Continue to insecure site" in warning dialogs, as the browser will automatically block the connection attempt before the user is presented with a dangerous option.
Configuration Best Practices
Implementing HSTS correctly requires careful consideration of the deployment timeline. It is recommended to first ensure that the site is fully functional over HTTPS before sending the header. Testing should be thorough, covering all redirects and resource loading, to avoid configuration errors that could lock users out. Once confident, the max-age should be set to a low value initially, such as a few minutes, to observe behavior without committing to a long enforcement period.
Deploying the Header and Managing Errors
Deploying the header is straightforward: web server configurations must include the line Strict-Transport-Security: max-age=31536000; includeSubDomains; preload for the desired domains. However, mistakes happen, and an incorrect header can lock a site into an inaccessible state if the HTTPS certificate is invalid or misconfigured. To mitigate this risk, the max-age should be kept short during the rollout phase. If a site is accidentally added to the browser preload list incorrectly, the list maintainers provide a mechanism for delisting, but removal can take significant time.
