HTTP Strict Transport Security (HSTS) plays an important role in web security — ensuring secure communication between websites and the web browsers of users.
Read on to learn about the importance of HSTS, key features such as HSTS preloading, the threats that HSTS can mitigate, and some of the limitations of the protocol.
HSTS is a widely used web security. Its primary objective is to ensure that web browsers access websites through HTTPS rather than HTTP. This standard was finalized by the IETF in RFC 6797 in 2012.
When a domain is HSTS-enabled, it instructs the browser to use HTTPS whenever a user clicks on an HTTP link or attempts to access a website without specifying the protocol, while also preventing users from bypassing alerts regarding invalid certificates. By automatically redirecting from HTTP to HTTPS, HSTS eliminates the possibility of insecure website access.
The browser returns an HTTPS header when encountering an HSTS-enabled domain or a subdomain. It instructs the browser to enable HSTS and store this information for a specified duration in seconds. Any subsequent efforts to access the domain via HTTP should automatically convert to HTTPS.
Ultimately, HSTS helps prevent man-in-the-middle attacks and ensures secure access to domains and subdomains. However, this process requires that HTTPS support all the subdomains of parent domains.
There are several issues associated with how browsers handle manual URL inputs and how users access websites. For example, when a user types in a web address like “test.com” in the browser address bar, the browser will automatically set the URL protocol to HTTP rather than HTTPS. Additionally, users can enter hostile networking environments capable of rewriting HTTPS links to HTTP. Users might click on outdated links that unintentionally use an HTTP URL.
Moreover, some websites may still listen on HTTP ports but redirect users to HTTP URLs. This redirection is an insecure practice that can expose users to cyberattacks such as session-cookie hijacking and other Man-In-the-Middle (MIM) attacks.
Suppose a user visits an HSTS-enabled website, "https://test.com." The website then responds with a “Strict-Transport-Security” header with an HSTS directive, indicating that all future connections should be made over HTTPS. Typically, the header includes the expiration time and specifies the applicable domain. Following is an example of a Strict-Transport-Security header that returns from an HSTS-enabled website.
Strict-Transport-Security: max-age = 31536000; includeSubDomains
This header information instructs the browser that all subdomains will be HTTPS for one year, blocking subdomains that only support HTTP. The browser then stores this information for the duration mentioned in the header.
When the browser attempts to access that domain in the future, it automatically converts any attempt to access the website via HTTP to HTTPS. This conversion occurs even if the user clicks on an HTTP link within the website or manually types a subdomain without including the protocol part.
In the case of our example HSTS-enabled website, if a subdomain such as “http://test-sub.com” is encountered, the browser will automatically change it to "https://test-sub.com". This conversion occurs without needing to contact the server over HTTP, thereby ensuring secure communication. Once the specified expiration time in the Strict-Transport-Security header has passed, subsequent attempts to load the site via HTTP will resume their regular behavior instead of automatically transitioning to HTTPS. This policy gets renewed each time the browser encounters the header.
In the Strict-Transport-Security header, there’s an optional extra parameter called ‘preloading.’ This parameter allows you to specify whether you want to be included in the HSTS preloading list or removed from it.
For users to benefit from HSTS, their browser must see the HSTS header at least once. Users are only protected once they establish a successful, secure connection to a specific HSTS-enabled domain. This initial visit occurs by redirecting users from an HTTP domain to an HTTPS domain — during such redirects, there is a possibility of missing the parent website.
If the user directly accesses the parent website, they will never encounter an HSTS policy with an includeSubDomains directive that applies to the entire domain.
Major browsers like Chrome, Firefox, Safari, Opera, and Edge provide an "HSTS preload list" to address this issue. This list comprises domains that can be integrated into those browsers, automatically enabling Strict Transport Security, even during the initial visit.
As this feature has been integrated into popular browsers, it can be shared to ensure consistent implementation across various platforms.
For example, in Chrome, the Chrome security team maintains a form that allows you to request to include your domains in Chrome's HTTP Strict Transport Security (HSTS) preload list. That list will be hardcoded into the Chrome browser only as HTTPS. The domain should meet specific requirements to enforce the preload and redirection from HTTP to HTTPS. These requirements include enabling HTTPS in all root and subdomains, along with the ‘long max-age’ and ‘preload’ parameters.
During the startup or update process of the browser, it retrieves the preload list and diligently enforces the HSTS policies for the domains included in the list. It ensures that users automatically connect to these websites using HTTPS without the need for additional actions or redirections. The browsers constantly update and maintain the preload list. It involves including new lists from website owners and removing domains that no longer meet the requirements or do not want to enforce this policy anymore.
Now let’s look at the most common threats that HSTS can minimize.
HTTP domains do not encrypt communication via the protocol. Thus, there is a higher possibility of intercepting the HTTP communication and redirecting the HTTP request to malicious websites – exactly what man in the middle attacks do.
HSTS ensures browser requests are encrypted, preventing unauthorized parties from eavesdropping on or intercepting the communication.
Cookie hijacking occurs when an attacker gains unauthorized access to the session cookies of a user and tries to impersonate him. HSTS helps prevent such attacks by enforcing HTTPS and ensuring that session cookies are transmitted over encrypted, secure connections.
This is another type of MIM attack where an attacker forces users to use a weaker HTTP protocol over secure HTTPS. By requesting the browser to utilize HTTPS for subsequent requests, HTST-enabled websites prevent protocol downgrading, even if the user enters an HTTP URL.
MIM attacks can also occur when an attacker presents an unauthorized certificate to users accessing unsecured websites. The intention behind this is to make the user trust and accept the certificate, potentially leading to security compromises.
HSTS effectively prevents users from bypassing the warning message related to the invalid certificate.
HSTS brings many benefits to organizations, as listed below.
As described earlier, HSTS helps protect against different types of cyberattacks. The secure connection between clients and servers prevents attackers from gaining advantages from weak communication protocols.
By enforcing HTTPS, HSTS guarantees a secure connection for users — a great first step in web app security. It also stops attackers from interfering with or stealing sensitive information like user data stored in session cookies.
When the user revisits an HSTS-enabled website, there is no need to validate the presence of the HSTS header again. Browsers can cache the HSTS header to eliminate retrieving it every time the user visits the website. This caching feature can improve the loading speed of the website.
When users are aware that a website is committed to enforcing HSTS and consistently using secure HTTPS, it helps to build trust in the secure usage of their websites. It also enhances its user experience by eliminating the need to navigate through websites by going through SSL certificate validations.
Features like HSTS preloading help to apply the HSTS policies consistently across all subsequent visits, regardless of user actions or prior knowledge of the security features of the website.
When using HSTS, it is important to understand its limitations and take additional security measures to mitigate them.
HTTP is an important web security standard that ensures secure communication between web browsers and websites. It enforces HTTPS and prevents insecure access via HTTP. HSTS eliminates cyber threats like protocol downgrading, MIM, and session cookie hijacking. The HSTS header, combined with features like HSTS Preloading, instructs browsers to always use HTTPS and cache this information for faster subsequent visits.
HSTS helps enhance web security, performance, and user trust. Nonetheless, it's important to be aware of the limitations of HSTS, such as privacy issues, and its ineffectiveness against DNS-based and TLS attacks.
See an error or have a suggestion? Please let us know by emailing ssg-blogs@splunk.com.
This posting does not necessarily represent Splunk's position, strategies or opinion.
The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.
Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.