Apr 23, 2021

When HTTPS is not Sufficient

HSTS stands for HTTP Strict Transport Security.

HSTS is a policy mechanism that helps to protect websites against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking. The HSTS Policy is communicated, from the server to the user agent, via an HTTPS response header field named "Strict-Transport-Security".

It specifies a period of time in which the user agent should only access the server in a secure fashion.[2] 

Note that the protection only applies after a user has visited the site at least once. It works by upgrade to HTTPS automatically, without making an HTTP request, to prevents the HTTP man-in-the-middle attack from occurring. 

To detect if a HTTPS server is supporting HSTS, just examine the HTTP response header if the following header exists.

Strict-Transport-Security: max-age=31536000; 

It is accepted in HTTPS communication only. The max-age parameter specifies how long to remember the rule in seconds (31536000 corresponds to a year). Append ; includeSubDomains at the end to apply the rule for all subdomains as well.

Here, I'm using my browser (MS Edge) to query if a website is supporting HSTS or not. Enter the "edge://net-internals/#hsts" or "chrome://net-internals/#hsts" at the URL, and put in the website for query.

support HSTS


Nowadays, it is hardly find a website that does not support HSTS, so I run a simple HTTP in my lab.

Not supporting HSTS

Benefits of HSTS:

  • Simple to implement at web server.
  • Helps in implementing HTTPS correctly.
  • Enabling HSTS helps to ensure that you remain compliant with privacy and data security regulations that require the use of HTTPS.

Links:

  • https://www.rapid7.com/blog/post/2011/05/03/strictly-https/
  • https://www.rapid7.com/db/vulnerabilities/hstsdetection-hstsattack-1/
  • https://www.rapid7.com/db/modules/auxiliary/scanner/http/http_hsts/