You are Here
2 3 5 6 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
Ha Hc He Hl Ho Hp Hr Hs Ht Hu Hv Hy

HSTS

HSTSHTTP Strict Transport Security

(HSTS) is a web security policy mechanism that enables web sites to declare themselves accessible only via secure connections. This helps protect websites and users from protocol downgrade and cookie hijacking attacks.

Protocol downgrade attacks occur when an attacker intercepts an initial HTTP request and redirects the user to a malicious site instead of the secure version of the original site. Cookie hijacking attacks occur when an attacker steals or manipulates cookies from a user’s browser, which may contain sensitive information such as authentication tokens or preferences.

HSTS works by sending a special response header, Strict-Transport-Security, to the browser, which informs the browser that the site should only be accessed using HTTPS, and that any future attempts to access it using HTTP should automatically be converted to HTTPS. The header also specifies a max-age directive, which indicates how long the browser should remember this policy. Optionally, the header can also include an includeSubDomains directive, which applies the policy to all subdomains of the site, and a preload directive, which indicates the site owner’s consent to have their domain preloaded into a list maintained by some browsers.

HSTS is an opt-in security enhancement that is supported by most modern browsers. It is more secure than simply configuring a HTTP to HTTPS redirect on the server, where the initial HTTP connection is still vulnerable to a man-in-the-middle attack. However, HSTS also has some limitations and risks, such as:

  • The browser only enforces HSTS after it receives the first valid response header from the site. This means that the first visit to the site (or after the max-age expires) is still exposed to a potential attack.
  • The site owner must ensure that all subdomains are HTTPS capable before using the includeSubDomains directive, otherwise some pages may become inaccessible.
  • The site owner must be careful when using the preload directive, as it can have permanent consequences and prevent users from accessing the site and any of its subdomains if they need to switch back to HTTP. The site owner also needs to submit their domain to the preload list manually.
  • HSTS can be used to identify users without cookies, which can lead to a privacy leak.

Related Entries

Spread the word: