Demystifying the HTTP Strict Transport Security (HSTS) Header
Updated: Feb 27, 2021
Ideally, web sites would run exclusively over HTTPS. In the future, we might find sites avoiding HTTP entirely using one of the following options.
1. Not serving any pages or content using HTTP
2. Serve a static "HTTP landing page" over HTT which only contains instructions that the user must use HTTPS along with an HTTPS link to the HTTPS version of the site
However, neither of these options are particuarly graceful or transparent. Site operators rightly worry that customers who browse to their site over HTTP might find this experience crude at best. Most sites listen for customers connecting over HTTP then redirect the user "up" to HTTPS automatically. Redirects to HTTPS ensure customers enjoy the benefits of HTTPS and respects the privacy of the user.
However, the redirection itself may expose another vulnerability; SSL Stripping. (Since SSL has be replaced by TLS, maybe we should call the attack TLS Stripping). In any case. SSL Stripping benefits from the user starting out with HTTP then bumping up to HTTPS.
To start, the attacker gets between the victim and the web site intercepting all of the traffic back and forth. Since the attacker is sitting in the middle, the user is really connected to the attacker; not the web server. The attacker is forwarding any communications from the user to the web server making it appear as if the user is connected to the web server. When the web server notices the user connecting over HTTP, the server sends one of those "redirect to HTTPS" commands back to the user's browser. Alas, the attacker intercepts this redirect changing the "redirect to HTTPS" to "redirect to HTTP" (without the "S"). The HTTPS has been "stripped".
The server still expects an HTTPS connection, so the attacker makes the HTTPS connection to the server, but leaves their own connection to the user as HTTP. The users communications is unprotected and the attacker can read and alter all of it.
[Interested in a highly-detailed demonstration of SSL Stripping? Check out this video showing an in-depth breakdown]
HTTP Strict Transport Security (HSTS) HTTP Response Header
The HTTP Strict Transport Security (HSTS) hader or HSTS is an HTTP response header that allows the web server to tell the user's browser to connect to the web site if and only if the connection is over HTTPS. This request to only make secure connections is good for a period of time specified in the header. From that point forward, the browser will only connect to the site over HTTPS and even automatically make the HTTPS connection regardless of what scheme (HTTP or HTTPS) is in the actual URL, bookmark or favorite.
As with other security headers, details matter. The header must be spelled and formatted correctly according to the RFC. Also, the header must be set by the web server tier rather than the application to ensure all resources are protected and the header is not duplicated.
Strict-Transport-Security: max-age=31536000; includeSubDomains
Breaking down the header
The header starts with its name Strict-Transport-Security followed by a colon that separates the name from the value. The value contains two attributes: max-age and includeSubdomains. max-age is the number of seconds the browser is to enforce the HSTS policy.
A value of 31536000 (seconds) is 1 year. includeSubdomains enforces the policy not only on the domain that issued the header (i.e. abc.mydomain.com) but also any sub-domains of that parent domain (i.e. marketing.abc.mydomain.com). Each time the browser visits the site and sees the header again, the 1-year clock restarts.
Why set the value of max-age to 31536000 (1 year) and includeSubdomains?
1-year is a globally accepted best practice providing the user a reasonable cushion of time to revisit the site safely. In addition, sites that do not set the max-age value to at least 1-year and add the includeSubdomains directive are not eligible for HSTS Preloading. Read on to learn why this might be important.
What about the user's first visit before the browser notices the HSTS header?
Recall with SSL Stripping, the attacker is machine-in-the-middle (MiTM) between the victim and the web application; intercepting all traffic in both directions. When such a user visits the web site, the attacker can simply throw away the HSTS header while the attacker maintains an HTTP connection between themselves and the user. HSTS is meant to eliminate the redirects that expose the issue, but we still have the "first visit problem". Until the browser gets the HSTS header, the browser does not know to enforce HTTPS.
HSTS Preload List
The SSL Stripping issue can be further mitigated by adding the site to the HSTS Pre-load list. This is a list of sites that have opted into the HSTS Preload feature. A list of these sites is shipped with popular web browsers such as Chrome, Firefox, Opera, Safari, IE 11 and Edge. If the user uses an HSTS pre-load compliant browser with the site pre-loaded, the browser will automatically request the HTTPS version of the site regardless of whether the user has visited the site before.
Sites must meet several requirements to be eligible for HSTS pre-loading.
The parent site and all subsites must be served over HTTPS
The parent site and all subsites must have a valid HTTPS certificate
HSTS must be set on the parent domain
The parent site must serve an HSTS header for HTTPS requests with the max-age must be at least 31536000 seconds (1 year), the includeSubDomains directive and the preload directive must be specified
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
More information on pre-loading is available at https://hstspreload.org.
How can I check the value of headers on my site?
Any sites headers can be checked using a browser plugin that displays headers or with an interception proxy like OWASP ZAP or Burp-Suite. (See below for our video series for ZAP and Burp-Suite). If the site is accessible from the Internet, security headers can be checked conveniently at https://securityheaders.com.
[Would you like a step-by-step tutorial to demystify using the powerful interception proxy Burp-Suite? Check out this playlist]
[Would you like a step-by-step tutorial demonstrating the powerful interception proxy OWASP ZAP? Check out this playlist]
What about the overall security of my site?
A security penetration test can uncover security vulnerabilities in your network, web application, mobile application and APIs then teach you how to address the issues so you can take action. Ellipsis InfoSec provides top-quality security penetration tests from a highly-certified, globally-recognized expert with many years of experience testing healthcare, retail, supply chain and other Fortune 50 network, web, mobile, web services and APIs. Please reach out out to Ellipsis today for more information.
HTTP Strict Transport Security (HSTS): https://tools.ietf.org/html/rfc6797
HSTS Pre-Load List: https://hstspreload.org
Security Headers Check: https://securityheaders.com