HSTS stands for HTTP Strict Transport Security.
HSTS is a policy mechanism that helps to protect websites against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking. The HSTS Policy is communicated, from the server to the user agent, via an HTTPS response header field named "Strict-Transport-Security".
It specifies a period of time in which the user agent should only access the server in a secure fashion.[2]
Note that the protection only applies after a user has visited the site at least once. It works by upgrade to HTTPS automatically, without making an HTTP request, to prevents the HTTP man-in-the-middle attack from occurring.
To detect if a HTTPS server is supporting HSTS, just examine the HTTP response header if the following header exists.
Strict-Transport-Security: max-age=31536000;
It is accepted in HTTPS communication only. The max-age parameter specifies how long to remember the rule in seconds (31536000 corresponds to a year). Append ; includeSubDomains at the end to apply the rule for all subdomains as well.
Here, I'm using my browser (MS Edge) to query if a website is supporting HSTS or not. Enter the "edge://net-internals/#hsts" or "chrome://net-internals/#hsts" at the URL, and put in the website for query.
support HSTS |
Nowadays, it is hardly find a website that does not support HSTS, so I run a simple HTTP in my lab.
Not supporting HSTS |
Benefits of HSTS:
- Simple to implement at web server.
- Helps in implementing HTTPS correctly.
- Enabling HSTS helps to ensure that you remain compliant with privacy and data security regulations that require the use of HTTPS.
Links:
- https://www.rapid7.com/blog/post/2011/05/03/strictly-https/
- https://www.rapid7.com/db/vulnerabilities/hstsdetection-hstsattack-1/
- https://www.rapid7.com/db/modules/auxiliary/scanner/http/http_hsts/