0 to Hero: HSTS – Improving Web Security

Title image - 0 to Hero HSTS

My 0 to Hero articles will cover actionable things you can do to improve your security and become a workplace hero! In my first 0 to Hero post, I will focus on HSTS.

HTTP Strict Transport Security or HSTS is not a new technology, however it’s adoption has been rather slow. Concerns about compatibilty, as well as misunderstandings as to what HSTS is and what it does abound. In this post, I will introduce you to what HSTS is, help you understand it better and then discuss how to configure it.

Historically, organizations have used redirects from HTTP to HTTPS to ensure that visitors to their sites were using HTTPS. The issue with this method is that it allows a man-in-the-middle style attack to occur. An attacker can for instance use a certificate with a similar name to fool the end user, and the user may ignore the certificate warnings and accept the certificate. With HSTS enabled, the end user can’t accept an invalid certificate. And instead of redirecting from HTTP to HTTPS, HSTS instructs the browser to only request the site in HTTPS.

Since HSTS instructs the browser to only request a site in HSTS, there can be a slight performance improvement in addition to the security improvement since the end user is not having to wait for the redirect to occur. Their browser is instead forced to request the site in HTTPS from the start. HSTS will also force other website assets including scripts and links to work over HSTS as well.

What about compatibility?

HSTS is supported by most major browsers with the exception of Opera Mini. You can check compatibility on a number of different services/protocols with the caniuse.com website. For HSTS compatibility specifically, check out https://caniuse.com/?search=hsts

How can I tell is a site is using HSTS?

There are a few ways to tell if a site is using HSTS. There are two that are less technical, and there is one that is a little more technical.

  1. SSL Labs
    • This site shows you how well you are doing in regards to cryptographic protocols. When HSTS is enabled it is shown with the green banner right underneath of the grade. I really like SSL Labs to confirm remediation work related to TLS and cipher suites in use.
    • Picture of A+ grade from SSL Labs showing HSTS is enabled
  2. securityheaders.com
    • This site shows you all of the various security headers you can set. Enabled headers are shown in green, headers not in use are shown in red. Guidance regarding the headers is provided below the grade. The site is very helpful in getting a glance at which headers are set, and which should be focused on.
  3. Developer Tools
    • In the Developer Tools of your browser, you can look at the headers and see if you are being presented with an HSTS header. It will show up as a response header.
    • Screenshot of HSTS in the response header
Configuring HSTS

Now you now how to find out if a site is using HSTS but what if you want to configure it? Let’s explore the parameters you can use to customize your HSTS deployment, then we will look at how to add the HSTS response header in IIS and Apache.

  • max-age
    • Determines how long the browser should request the site in HTTPS for in seconds. 31536000 is a popular setting, this tells the browser to request the site in HTTPS for 1 year.
    • When this max-age expires, the site could be requested in HTTP again. This is where using preload may help, as the browser will use HTTPS because the site is in the HSTS preload list.
    • When you are just setting this up, consider using a small max-age in case there are issues and you need to roll back
  • includeSubDomains
    • This option does exactly what it sounds like…if you apply HSTS on sometestorg.com and you add the includeSubDomains parameter, then a user’s browser will only use HTTPS to connect to your sub-domains as well, i.e. http://www.sometestorg.com or marketing.sometestorg.com.
  • preload
    • This option takes planning ahead of time. You need to request that your site get added to the preloaded list for browsers. You can do this by visiting this site and requesting your site be added to the list: https://hstspreload.org/
    • Once your site has been added to the list, you can add the preload parameter to your HSTS header response.
    • To use preload, you must also use includeSubDomains.
    • This option provides the best protection…for a user to get the HSTS header they have to connect at least once. If your domain is in the preload list, then their browser already knows to use HSTS when connecting to your domain.
Example HSTS header:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Configuring in IIS
  1. Open IIS Manager
  2. Select the site where you want to enable HSTS
  3. Double-click on HTTP Response Headers
  4. Click on Add
  5. In the “Add Custom HTTP Response Header” dialog box, you will need to add the following:
    • Name: Strict-Transport-Security
    • Value: max-age=31536000; includeSubDomains; preload
Configuring in Apache
  1. Open the Apache config file (/etc/apache2/httpd.conf)
  2. Uncomment/add “LoadModule headers_module modules/mod_headers.so
  3. Now navigate to /etc/apache/sites-enabled
  4. Locate the configuration file for the site where you want to enable HSTS
  5. In between the <VirtualHost *:443> tags, you will want to type:
    • Header always set Strict-Transport-Security “max-age=31536000; includeSubDomains; preload”

Before I close, I feel I should mention that for HSTS to help improve the security of your site, you must first have an SSL certificate bound to your site, and you must be listening on HTTPS/443 at a minimum. You may also want to listen on HTTP/80 and redirect to HTTPS/443 if you think there may be users with the old HTTP address saved.

I hope this helps some of you out there! Please drop a comment if you have configured HSTS or if you have any questions!

Additional Resources

Check out these additional resources if you want to learn more about HSTS.

OWASP HSTS Cheat Sheet