I am an Information Security evangelist and author.
My 0 to Hero articles will cover actionable things you can do to improve your security and become a workplace hero! In my first 0 to Hero post, I will focus on HSTS.
HTTP Strict Transport Security or HSTS is not a new technology, however it’s adoption has been rather slow. Concerns about compatibilty, as well as misunderstandings as to what HSTS is and what it does abound. In this post, I will introduce you to what HSTS is, help you understand it better and then discuss how to configure it.
Historically, organizations have used redirects from HTTP to HTTPS to ensure that visitors to their sites were using HTTPS. The issue with this method is that it allows a man-in-the-middle style attack to occur. An attacker can for instance use a certificate with a similar name to fool the end user, and the user may ignore the certificate warnings and accept the certificate. With HSTS enabled, the end user can’t accept an invalid certificate. And instead of redirecting from HTTP to HTTPS, HSTS instructs the browser to only request the site in HTTPS.
Since HSTS instructs the browser to only request a site in HSTS, there can be a slight performance improvement in addition to the security improvement since the end user is not having to wait for the redirect to occur. Their browser is instead forced to request the site in HTTPS from the start. HSTS will also force other website assets including scripts and links to work over HSTS as well.
HSTS is supported by most major browsers with the exception of Opera Mini. You can check compatibility on a number of different services/protocols with the caniuse.com website. For HSTS compatibility specifically, check out https://caniuse.com/?search=hsts
There are a few ways to tell if a site is using HSTS. There are two that are less technical, and there is one that is a little more technical.
Now you now how to find out if a site is using HSTS but what if you want to configure it? Let’s explore the parameters you can use to customize your HSTS deployment, then we will look at how to add the HSTS response header in IIS and Apache.
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Before I close, I feel I should mention that for HSTS to help improve the security of your site, you must first have an SSL certificate bound to your site, and you must be listening on HTTPS/443 at a minimum. You may also want to listen on HTTP/80 and redirect to HTTPS/443 if you think there may be users with the old HTTP address saved.
I hope this helps some of you out there! Please drop a comment if you have configured HSTS or if you have any questions!
Check out these additional resources if you want to learn more about HSTS.