HTTP Strict Transport Security (HSTS) is a web server directive that allows websites to declare that they should only be accessed via a secure connection. When a website has an HSTS policy, any browser accessing it must refuse all HTTP connections and stop users from accepting insecure SSL certificates. To prevent redirects every time a user visits a site, the browser remembers the information for a period of time specified by the header.
Many websites face two major challenges when securing websites over HTTPS. To address this gap in HTTPS security, the IETF introduced HSTS in 2012.
Challenge 1: The first request to load a domain specified without the protocol is always made with HTTP and in the presence of 301 redirects, redirected to HTTPS. The time that elapses between these requests is significant enough for attackers to take advantage and launch an attack on the website. This can make websites vulnerable to man-in-the-middle attacks such as SSL stripping.
Challenge 2: The initial redirect can also significantly increase page load times. In some instances, the load time could increase by 15 seconds.
HSTS removes the opportunity an attacker has to intercept and tamper with redirects over HTTP.
When a browser receives a response with strict transport security, it understands that it must only connect to that website over a secure connection i.e. HTTPS. If this is not possible, the browser terminates the connection. HSTS defines an additional ‘preload’ directive that can safeguard the first request that a website sends to the user’s browser. By submitting the website to the ‘preload list’, the website owner can make sure that the first request is also made over HTTPS.
There are three main benefits to implementing HSTS on your website:
1. Prevent SSL stripping and HTTP leakage attacks: By enforcing HSTS with preload, it’s possible to ensure your website is never served via HTTP.
2. Improve page load times: With HSTS, the browser does not spend time following redirects. This can improve your page load times in magnitude of seconds.
3. Improve SEO ranking: Google’s PageRank algorithm ranks websites that are served over HTTPS higher than ones on an insecure protocol.
The most important security vulnerability that HSTS can fix is SSL-stripping man-in-the-middle attacks.
HSTS eliminates the “SSL Stripping” / “Man-in-the-Middle” threat, guaranteeing secure transmission. One potential limitation of HSTS is during the first time a user visits an unknown site: the browser has to rely on the server to determine the correct protocol. This is known as “Trust On First Use” (TOFU). The risk in this case is that an attacker could intercept the first visit and redirect the browser to an insecure website. To address this, all the major browsers, including : Chrome, Firefox, Microsoft Edge, Safari, have an in-built list of known HTTPS sites. This is called preloading and browsers will know to connect using only HSTS, even on the very first visit. Preloading also improves page load speeds.
Control Risk. Manage Trust.
There are two key challenges in implementing HSTS: firstly, the website owner needs to take stock of all mixed content or HTTP traffic that might break. Secondly, configuring HSTS in a complex domain tree requires in-depth insights into current deployments.
Evaluation of HSTS Readiness: Tala evaluates whether your website is ready for HSTS by scanning your website to discover all mixed content and HTTP redirects.
Implementation of HSTS based on user specifications: Tala lets the user control the max-age value and decide if they want to implement HSTS on subdomains through a simple workflow. HSTS settings can be changed and applied within minutes. Learn more about how Tala protects websites with WARP.
Tala’s advanced analytics and automation engine continuously apply HSTS, CSP, SRI and other critical controls to websites, protecting against the broadest range of attacks without impacting on website performance or user experience. Tala’s technology automates advanced security controls to ensure continuous website security measures are in place, protecting sensitive data exchange and preventing website attacks. To learn more about how Tala automates security standards and protects websites from attack, visit our solutions page.
Request a free website analysis to find out.