What is HSTS and should I implement it?
HTTP Strict Transport Security (also know as HSTS) is a powerful browser and server security mechanism to increase security on your site.
This technology removes the ability for your SSL encrypted session (HTTPS) to be degraded to HTTP, ensuring all information exchanged is secure. Implementing the features of HSTS can significantly reduce the likelihood of some attacks such as ‘man in the middle’.
This technology has been available in both Google Chrome and Mozilla Firefox since version four of their browsers and since version eleven of Internet Explorer.
How does it work?
There are two main security features that strict transport security implements. These two are centred around preventing a man-in-the-middle attack from taking place in order to steal sensitive information such as credentials to a website.
The way that HTTP Strict Transport Security works is by forcing all communication to be sent via HTTPS by instructing your web-browser that no traffic ever should be sent via the HTTP protocol when requesting assets from the website being protected via this security mechanism.
The two primary protections are as follows:
* HSTS will automatically redirect any assets (images, css, javascript) that are referenced in the HTML generated by your website to be called via https:// rather than http:// (Which will then ensure that the content is coming from a source with a valid SSL certificate).
* If the website is being protected by Strict Transport Security presents an invalid SSL certificate, the browser removes the ability for a visitor to override the certificate warning, preventing access to the website.
HSTS Subdomain Namespaces
In addition to this, the HSTS mechanism also provides website owners with the ability to force all subdomains of their domain to also have HSTS enforced. This enhances protection of their domain namespace but can also be an implementation hazard for some organisations that may have reliance on subdomains without HTTPS implemented for external resources.
HSTS Preload List
HSTS also has an opt-in preload list of which rather than being initiated by the web server you are contacting, will query a list that is built-in to all modern browsers to see whether or not a domain should be using HSTS. This further enhances the protection provided by HSTS, by forcing all queries to be sent to a domain to be sent via HTTPS:// without having to query the associated web server in order to find out whether or not strict transport security should be in use. If you have implemented HTTP Strict Transport Security and want to include your domain on the preload page, the submission form can be found at https://hstspreload.org/
Should I implement HSTS?
The use cases for HSTS are dependant on the information you are protecting. If you are a bank and protecting your clients online net banking facility then you should be definitely using HSTS across your services. If you run a small personal blog site with no personal information being stored in the backend of the website then the use case is significantly diminished.
As a rule of thumb, we would recommend any E-Commerce based store to strongly consider the use of HSTS in conjunction with TLS/SSL in order to protect their online presence, especially any that are dealing with cardholder data.
If you do choose to implement Strict Transport Security across your site it is recommended that you understand the implications of doing so. If HTTP Strict Transport Security is not configured correctly, there can be major negative impacts on your organisation. We would always recommend engaging a hosting professional to do some pre-requisite checks before deploying this across your web presence.
Get in touch with us.
