Http Strict Transport Security | Https Security

1. Introduction

HTTP Strict Transport Security (HSTS) is a web security policy mechanism that helps protect websites against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking. HSTS instructs browsers to only interact with the server using secure HTTPS connections.

2. Key Concepts

HSTS allows web servers to enforce secure connections.
It is implemented via a special response header sent by the server.
Once a browser receives the HSTS header, it will refuse to connect to the site using HTTP.

Note: HSTS can only be applied to HTTPS sites and should not be used on sites that do not support HTTPS.

3. Implementation

To implement HSTS, the server must send the following HTTP header:

Strict-Transport-Security: max-age=31536000; includeSubDomains

In this example:

max-age=31536000 specifies that the browser should enforce HSTS for 1 year (in seconds).
includeSubDomains applies this rule to all subdomains of the current domain.

Example of a server configuration for HSTS in Apache:

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

4. Best Practices

Always test your HSTS implementation in a safe environment before going live.
Use the preload directive to submit your site to browsers for inclusion in their HSTS preload lists.
Regularly review and update your HSTS policies.

Warning: Make sure your site can handle HTTPS requests before implementing HSTS. Once implemented, it can be difficult to roll back.

5. FAQ

What happens if I set HSTS but my site is still accessible over HTTP?

Browsers will enforce HTTPS connections after the first visit, but users may still access the site over HTTP until the HSTS header is received.

Can I add HSTS to an existing site?

Yes, you can add HSTS to any existing HTTPS site, but ensure that it is fully functional over HTTPS first.