What Is HSTS And How To Activate It
What Is HSTS And How To Activate It
You may have confirmed that your website has SSL enabled, and that the security padlock icon on your browser is green. However, you may forget about the HTTP security guard, HTTP Strict Transport Security (HSTS). What is HSTS, and how can it help keep your site secure?
What is HTTPS?
What is HTTPS
Hyper Text Transfer Protocol Secure (HTTPS) is the secure version of websites (HTTP). Encryption is enabled using the Secure Sockets Layer (SSL) protocol and validated with an SSL certificate. When you connect to an HTTPS website, the information transferred between the website and the user is encrypted.
This encryption helps protect you against data theft via Man-in-the-Middle-Attacks (MITM). The added layer of security also goes a long way in increasing the reputation of your website. In fact, adding an SSL certificate is so easy that many web hosts will add it to your site for free. HTTPS still has some drawbacks, but HSTS is here and it can help fix them.
What is HSTS?
HSTS is a response header that informs the browser that enabled websites can only be accessed via HTTPS. This forces your browser to only be able to access the HTTPS version of the website and any resources on it.
You may not realize that even if you have set up your SSL certificate correctly and enabled HTTPS for your website, that the HTTP version is still available. This is true even if you have set up forwarding using 301 permanent redirects. Although the HSTS policy has been around for a while, it was only officially rolled out by Google in July 2016. Which is probably why you haven't heard much about it.
Enabling HSTS stops SSL protocol attacks and cookie hijacking, two additional vulnerabilities in SSL-enabled websites. And apart from making websites more secure, HSTS will make sites load faster by removing a step in the loading procedure.
What is SSL Stripping?
Even though HTTPS is a huge improvement over HTTP, it is not immune to being hacked. SSL Stripping is a very common MITM hack for websites that use redirects to send users from HTTP to their website's HTTPS version. 301 (permanent) and 302 (temporary) redirects basically work like this:
1. Users type google.com into their browser's address bar.
2. The browser initially tries to load http://google.com as default.
3. “Google.com” is set up with a permanent 301 redirect to https://google.com .
4. The browser sees the redirect and loads https://google.com instead.
With SSL stripping , hackers can use the time between step 3 and step 4 to block redirect requests and stop browsers from loading a secure (HTTPS) version of a website. When you access the unencrypted version of the website, any data you enter can be stolen.
Hackers can also redirect you to a copy of the website you are trying to access, and capture all of your data as you enter it, even if it looks secure. Google has implemented measures in Chrome to stop some types of redirects. However, enabling HSTS should be something you do by default for all your websites from now on.
How To Enable HSTS And Stop SSL Stripping?
Enabling HSTS forces the browser to load a secure version of the website, and ignores redirects and other calls to open HTTP connections. This closes existing redirect vulnerabilities with 301 and 302 redirects.
There is a downside even to HSTS, and that is that the user's browser has to see the HSTS header at least once before it can make use of it for future visits. This means that they must go through the HTTP > HTTPS process at least once, leaving them vulnerable the first time they visit an HSTS-enabled website. To solve this, Chrome loads a list of websites that have HSTS enabled. Users can submit HSTS-enabled websites to the preload list themselves if they meet the (simple) required criteria.
Websites added to this list will be changed to a future version of Chrome update. It ensures that everyone who visits your HSTS-enabled websites in an updated version of Chrome will remain safe. Firefox, Opera, Safari, and Internet Explorer have their own HSTS preload lists, but they are all based on Chrome's list at hstspreload.org .
How To Enable HSTS And Stop SSL Stripping
How To Enable HSTS On Your Website
In order to enable HSTS on your website, you must first have a valid SSL certificate. If you enable HSTS without SSL, your site will not be available to any visitors, so make sure your website and any subdomains work on HTTPS before proceeding. Enabling HSTS is quite easy. You just need to add the headers to the .htaccess file on your site. The headers you need to add are:
Strict-Transport-Security: max-age=31536000; includeSubDomains
This adds a max age access cookie of one year, which includes your website, and any subdomains. Once the browser accesses the website, it will not be able to access the insecure HTTP version of the website for a year. Ensure that all subdomains in this domain are included in the SSL certificate, and that HTTPS is enabled. If you forget this, the subdomain will be inaccessible once you save the .htaccess file.
Websites that do not have the includeSubDomains option can expose visitors to a privacy leak by allowing subdomains to manipulate cookies. With includeSubDomains enabled, attacks regarding these cookies will be impossible.
Note: Before adding a maximum age of one year, test your entire website with a maximum age of five minutes using: max-age = 300;
Google even recommends that you test your website and its performance (traffic) at one week's rate, and one month's worth before imposing a maximum age of two years.
Five minutes: Strict-Transport-Security: max-age=300; includeSubDomains
One week: Strict-Transport-Security: max-age=604800; includeSubDomains
One month: Strict-Transport-Security: max-age=2592000; includeSubDomains
Create HSTS Preload List
By now you should be familiar with HSTS and why it's important for your site to use it. Keeping your website visitors safe online should be a key element of your site plan. To be eligible for the HSTS preload list that Chrome and other browsers use, your website must meet the following requirements:
1. Present a valid SSL certificate.
2. Redirect from HTTP to HTTPS on the same host, if you are listening on port 80.
3. Serve all subdomains via HTTPS. In particular, you must support HTTPS for www.subdomain if there are DNS records for that subdomain.
4. Serve the HSTS header on the base domain for HTTPS requests:
* Maximum age must be at least 31536000 seconds (1 year).
* The includeSubDomains directive must be specified.
* Preload directive must be specified.
* If you serve additional redirects from your HTTPS site, those redirects must still have HSTS headers (not the page they redirects to).
If you want to add your website to the HSTS preload list, make sure you add the required preload tags. The “preload” option indicates that you want your website to be added to Chrome's HSTS preload list. The response header in the .htaccess should look like this:
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Admin suggest you guys add your website to hstspreload.org. The requirements are pretty easy to fulfill, and it will help protect your website visitors, and potentially increase your website's search engine ranking.
So What Is HSTS? HTTP Strict Transport Security (HSTS) is a web server directive that informs user agents and web browsers how to handle connections via response headers that are sent up front and back to the browser.
So many articles What is HSTS and how to secure HTTPS. Look forward to other interesting articles and don't forget to share this article with your friends. Thank you…
Just an ordinary person who wants to share a little knowledge, hopefully the knowledge I provide can be useful for all of us. Keep in mind! Useful knowledge is an investment in the afterlife.