What is HSTS?
Back to scripts and softwareHTTP Strict Transport Security abbreviated HSTS is a security policy that forces a connection over HTTPS.
It is of course important that a valid / active SSL certificate is present.
Without a valid SSL certificate in combination with HSTS, the website cannot be loaded.
At that time, there is also no option to ignore the error message, while this option is present when not using HSTS.
HSTS vulnerability
As a website administrator, you have the option to choose whether traffic should go over HTTP or HTTPS.
By default, it goes over HTTP. You can install an SSL certificate and redirect website traffic to HTTPS, for example, via .htaccess or by setting a checkmark in your control panel.
However, HSTS is not foolproof, the first request will always still go through HTTP first, so in the first request a hacker can still take advantage and perform a man in the middle attack.
Note that HSTS can only be activated when there is a valid
Man in the middle attack
As indicated, the first request is still over HTTP and therefore a hacker can perform a man in the middle attack (MITM).
In a man in the middle attack, a hacker can intercept and possibly modify the communication between the visitor and the server.
Any information you enter can then be viewed by the hacker and possibly even modified.
For example, a hacker can also place a cookie (file) on your computer that causes your web browser to redirect you to another website.
The hacker can then send you to a website that looks like an official website, but is not the official website, such as a bank's website.
This allows the hacker to get to your data and misuse it.
When HSTS is active this risk decreases, especially when you use the preload feature....
More information about a man in the middle attack can be found on Wikipedia.
Setting a period with HSTS
With HSTS you need to specify a period in which you tell the client (web browser) to use HTTPS for the specified period.
The default period is 1 year, but it is also possible to set a longer or shorter period.
Make sure you set this properly as long as your visitors are not inconvenienced by this for months or years.
If you unexpectedly find out that HSTS does not work properly when you have activated it and you have set it for 1 year, then all your visitors will be inconvenienced by this setting for 1 year, unless they turn it off manually in their browser settings.
Subdomains and HSTS
In some cases you may have subdomains on different servers.
HSTS does not take this into account, and therefore requires a valid SSL certificate on those servers as well.
A wrong setting in HSTS can directly cause a large part of your website to fail.
It is therefore very important to handle this carefully.
One thing you should think about is whether you want to provide all your subdomains with HSTS.
If you want to include subdomains, you can usually select this in the control panel, or specify it in the code.
What are the advantages of HSTS?
- The main advantage of HSTS is that it improves security. It prevents the man in the middle attack if you configure it properly and in addition you are better prepared for the future.
- Once an HSTS header is active, the website will load faster because the redirection from HTTP to HTTPS no longer takes place.
Search engines will also rank sites higher in the results when HSTS is used.
What are the disadvantages of HSTS?
- One of the disadvantages is that you always need to have a valid SSL certificate (of course this should be standard and is not really a disadvantage).
- When activating HSTS, also take subdomains into account, if you activate HSTS via the main domain and specify that it should also provide the subdomains with HSTS, then all your subdomains must have a valid SSL certificate.
- Setting it up incorrectly could result in your website(s) being down for an extended period of time.
-
HSTS is not foolproof (yet). When the website is visited for the first time, it still happens via HTTP, so a hacker can use certain tools to remove the HSTS header,
To counter this better you can use the preload list.
HSTS preload list
Many web browsers use an HSTS preload list.
This is a list that lists domain names that are only approachable over HTTPS.
Once you specify that HSTS should be loaded via a pre-load, this provides even more security because the HSTS is already loaded before your website loads.
This way, your website is loaded directly over HTTPS.
You can add your site to the preload list at https://hstspreload.org.
However, there are some conditions you must meet:
- Obviously, your domain name must have a valid SSL certificate.
- All requests on the http port (port 80) must be redirected to the https:// on the same domain. For example, http:// examplesitepuntnl must redirect to https:// examplesitepuntnl and it must not redirect to https:// wwwpunt examplesitepuntnl
- The HSTS function you use must use the include:subdomains function.
- The max-age (period) must be at least 18 weeks.
- You must use the preload feature.
How do I activate HSTS?
The explanation on how to activate HSTS can be found in the article: How do I activate HSTS?
How can I remove HSTS when an HSTS header is active?
This varies by web browser.
Chrome:
Type the following into your address bar: chrome://net-internals/#hsts
Here you have several options, including querying the HSTS and deleting/forgetting the HSTS.
Brave:
Type the following in your address bar: brave://net-internals/#hsts
Here you have several options, including querying the HSTS and deleting/forgetting the HSTS.
Firefox:
Open Firefox and use Shift+ CTRL+ H (or Cmd + Shift + H on a Mac)
Find the website for which you want to remove the HSTS.
Right-click on it, and click "Forget About This Site" or "Forget This Website."
Note that this also deletes saved passwords.
