HSTS extra security over HTTPS

Yes, strict transport security provides a real benefit.

HSTS tells the browser to only communicate with the server via HTTPS. The first time the browser sees the HSTS header from the server, it remembers it. When the user visits the site again, the browser enforces that all communication is done via HTTPS. This will work as long as the attacker doesn't strip the header on the first visit to the site.

This prevents SSL-stripping attacks, a form of man-in-the-middle attack which presents the user with a clear-text resource instead of the SSL one. Normally, the user would not be alerted, and most "average" users wouldn't spot that the SSL padlock or green/blue highlight isn't shown in the URL bar. In the case of HSTS, the browser would immediately warn the user that the browser is attempting to violate its own security policy.

  1. Client creates a clear-text connection to the server.
  2. Server responds with a redirect to the HTTPS address, with the HSTS header set.
  3. Client and server communicate over SSL.
  4. Session ends.
  5. Client comes back later, browser has stored the HSTS flag for this domain.
  6. Attacker attempts to perform SSL-strip attack, and serves clear-text to the client.
  7. Client recognises that the HSTS policy disallows this, and alerts the user.

For further security, some are proposing that HSTS be implemented as an option in DNSSEC, so that the HSTS header is set as part of the DNS lookup. Since DNSSEC provides strong security through pre-distributed authority certificates, this would make it exceedingly difficult for an attacker to defeat the HSTS mechanism, even if they are actively attempting to SSL-strip on the first visit to the site.


Yes, if you are using SSL sitewide, then I definitely recommend enabling HSTS.

HSTS is an important security measure to defeat man-in-the-middle attacks that shift the user over to http and then attack the user. For instance, sslstrip is a well-known tool to mount such an attack. For more details on this sort of attack, see the following questions: How to thwart sslstrip attack?, Options when defending against SSLstrip?, and this answer.

HSTS tells the browser: never use HTTP with this site. Only access it via HTTPS. So, to enable HSTS, you must make sure that your site works with HTTPS, and only HTTPS. This includes everything: HTML, CSS, Javascript, everything. Make sure all of the CSS and Javascript on your site is available over HTTPS. Also, I suggest that you convert your pages to reference everything over HTTPS (I recommend your pages avoid loading any other Javascript or CSS resource over HTTP, as that may cause warnings or security problems for some browsers).

For instance, let's say your site is www.example.com and you have a page https://www.example.com/buy.html which includes some Javascript from your site. You must make sure you your Javascript file is available on a HTTPS URL (e.g., https://www.example.com/library.js). I recommend that you load it via a HTTPS URL (e.g., <SCRIPT SRC="https://www.example.com/library.js">).

P.S. I also recommend that you set the secure flag on all cookies you use.

Tags:

Apache

Hsts

Tls