Web Experience Platforms
HTTP Header Series: HTTP Strict Transport Security
Thursday, March 21, 2019
Layer One - Director of Digital Delivery - Jim Schram
In our opening to this series, we discussed some of the reasons for Security Headers. In this post we will describe in more detail the need for the HSTS header. Simply put, the HSTS header forces browsers to communicate using a secure (HTTPS) connection. This primarily eliminates the “man-in-the-middle” attack described by Moxie Marlinspike in which an SSL certificate chain can be spoofed. Additionally the HSTS header can eliminate serving HTTP pages on a site that should be HTTPS only.
Strict-Transport-Security: max-age=expireTime [; includeSubdomains]
The time, in seconds, that the browser should remember that this site is only to be accessed using HTTPS
If this optional parameter is specified, this rule applies to all of the site's subdomains as well.
Strict-Transport-Security: max-age=31536000; includeSubDomains
Strict-Transport-Security: max-age=86400; includeSubDomains
The preload directive indicates that the site is present on a global list of HTTPS-only sites. You, as a site owner will need to register the site prior to using this directive. Preloading is intended to speed up page loads and eliminate the risk of "man-in-the-middle" attacks when a site is visited for the first time. As a word of caution, getting your domain removed from the global list can be a tedious process, so be sure this is what you want to do.
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
- If you are using the HSTS header and the certificate is not valid, you will be prevented from making a connection. Typically, when a certificate is not valid the browser asks the user if they would like to ignore, in the case of a HSTS site, the browser will not let you bypass the warning at all. To access the site, you must remove the site from the HSTS list within the browser.
- The HSTS header is connected to a specific domain name. For example, if the HSTS header is set for "example.com" the site "www.example.com" will not be covered unless the "includeSubDomains" directive is used.