What is HTTP Strict Transport Security (HSTS)


HTTP Strict Transport Security (HSTS) is a web server directive that allows websites to declare that they should only be accessed via a secure connection. When a website has an HSTS policy, any browser accessing it must refuse all HTTP connections and stop users from accepting insecure SSL certificates. To prevent redirects every time a user visits a site, the browser remembers the information for a period of time specified by the header.

Specification History of HTTP Strict Transport Security (HSTS)

Many websites face two major challenges when securing websites over HTTPS. To address this gap in HTTPS security, the IETF introduced HSTS in 2012. 

Challenge 1: The first request to load a domain specified without the protocol is always made with HTTP and in the presence of 301 redirects, redirected to HTTPS. The time that elapses between these requests is significant enough for attackers to take advantage and launch an attack on the website. This can make websites vulnerable to man-in-the-middle attacks such as SSL stripping.

Challenge 2: The initial redirect can also significantly increase page load times. In some instances, the load time could increase by 15 seconds.

How HTTP Strict Transport Security (HSTS) works

HSTS removes the opportunity an attacker has to intercept and tamper with redirects over HTTP.

When a browser receives a response with strict transport security, it understands that it must only connect to that website over a secure connection i.e. HTTPS. If this is not possible, the browser terminates the connection. HSTS defines an additional ‘preload’ directive that can safeguard the first request that a website sends to the user’s browser. By submitting the website to the ‘preload list’, the website owner can make sure that the first request is also made over HTTPS.

There are some prerequisites for implementing HSTS:

  • Valid SSL certificate installed on the website
  • Visibility into active and passive mixed content on your website, as this content could be blocked once HSTS is implemented
  • The website should be served via HTTPS
  • All subdomains associated with the parent domain must support HTTPS.
  • 301 redirects should be used to re-route all HTTP pages to HTTPS ones



The benefits of HTTP Strict Transport Security (HSTS)

There are three main benefits to implementing HSTS on your website:

1. Prevent SSL stripping and HTTP leakage attacks: By enforcing HSTS with preload, it’s possible to ensure your website is never served via HTTP.

2. Improve page load times: With HSTS, the browser does not spend time following redirects. This can improve your page load times in magnitude of seconds.

3. Improve SEO ranking: Google’s PageRank algorithm ranks websites that are served over HTTPS higher than ones on an insecure protocol.

HSTS man in the middle

HSTS Applicability & Limitations

The most important security vulnerability that HSTS can fix is SSL-stripping man-in-the-middle attacks.

HSTS eliminates the “SSL Stripping” / “Man-in-the-Middle” threat, guaranteeing secure transmission. One potential limitation of HSTS is during the first time a user visits an unknown site: the browser has to rely on the server to determine the correct protocol. This is known as “Trust On First Use” (TOFU). The risk in this case is that an attacker could intercept the first visit and redirect the browser to an insecure website. To address this, all the major browsers, including : Chrome, Firefox, Microsoft Edge, Safari, have an in-built list of known HTTPS sites. This is called preloading and browsers will know to connect using only HSTS, even on the very first visit. Preloading also improves page load speeds.

Automating HSTS with Tala

Control Risk. Manage Trust.

There are two key challenges in implementing HSTS: firstly, the website owner needs to take stock of all mixed content or HTTP traffic that might break. Secondly, configuring HSTS in a complex domain tree requires in-depth insights into current deployments.

Evaluation of HSTS Readiness: Tala evaluates whether your website is ready for HSTS by scanning your website to discover all mixed content and HTTP redirects.

Implementation of HSTS based on user specifications: Tala lets the user control the max-age value and decide if they want to implement HSTS on subdomains through a simple workflow. HSTS settings can be changed and applied within minutes. Learn more about how Tala protects websites with WARP

Tala’s advanced analytics and automation engine continuously apply HSTS, CSP, SRI and other critical controls to websites, protecting against the broadest range of attacks without impacting on website performance or user experience. Tala’s technology automates advanced security controls to ensure continuous website security measures are in place, protecting sensitive data exchange and preventing website attacks. To learn more about how Tala automates security standards and protects websites from attack, visit our solutions page.

protect against magecart

Is your website secure?

Request a free website analysis to find out.