GlobalSign Blog

03 Feb 2017

What Is HSTS and How Do I Implement It?

Imagine, if you will, that you are at your favorite restaurant or just getting back to your hotel room from that conference and you want to use their free Wi-Fi. Have you ever noticed that their Wi-Fi passwords are printed on paper and never changed?

A malevolent hacker has booked a room at this same hotel. They are eavesdropping on all of the connections going over this insecure, wireless network.

Within the hacker’s sheaf of evil-doings is something called a ‘packet sniffer’. A packet sniffer is network utility that analyses and may inject tasks into the data-stream travelling over the targeted network.

This hacker could capture your network traffic over HTTP for any website that relies on 301 redirects alone for switching from HTTP to HTTPS. This method presents a window of opportunity for the hacker to strip down your SSL encryption and steal valuable data or even worse, present a fake login portal page.

This is why your website must employ HTTP Strict Transport Security over just HTTPS. Obtaining an SSL Certificate will never be enough.

What is HSTS?

HTTP Strict Transport Security (HSTS) is a web server directive that informs user agents and web browsers how to handle its connection through a response header sent at the very beginning and back to the browser.

This sets the Strict-Transport-Security policy field parameter. It forces those connections over HTTPS encryption, disregarding any script's call to load any resource in that domain over HTTP. HSTS is but one arrow in a bundled sheaf of security settings for your web server or your web hosting service.

Why Should Your Company Implement HSTS?

You never close your physical store or home without locking the doors, right? You may even have metal detectors at the door to control shrinkage. Data can be just as valuable as physical items in your shop or house, so it’s just as important to keep them locked up and secure. Padlocking your website is sometimes not enough as people will still find a way to reach your website over http://. HSTS forces browsers and app connections to use HTTPS if that is available. Even if someone just types in the www or http://.

HTTPS is a small ranking factor in Google and is categorized as a ‘site quality’ score along with many other factors such as page speed and mobile responsiveness.

Setting up 301 redirects from http:// to https:// is not enough to completely secure your domain name. The window of opportunity still exists in the insecure redirection of HTTP.

$ curl --head http://www.facebook.com HTTP/1.1 301 Moved Permanently Location: https://www.facebook.com/

The hacker(s) are still able to capture site cookies, session ID (usually sent as a URL parameter) or force a redirection to their phishing site that looks exactly like your website. Ouch!

By having a Strict-Transport-Security header installed, it will be nearly impossible for the bad guys to glean any information at all! Not even your Yoga schedule!

$ curl --head https://www.facebook.com HTTP/1.1 200 OK Strict-Transport-Security: max-age=15552000; preload

How Popular Is HSTS Implementation?

The multi-billion-dollar company, Google formally rolled out a HSTS security policy on July 29, 2016.

The HSTS project was first drafted as early as 2009. A memorandum came from Tony Scott, CIO on June 08, 2015 while a more robust effort has been ongoing as early as 2015.

Facebook, Google, Gmail, Twitter and PayPal are just some of the major social networking and payment portals that implement HSTS today. Even the United States Government, Executive Office of the President sent a Memorandum M-15-13 - Policy to Require Secure Connections across Federal Websites and Web Services. While the whole HSTS project was first drafted as early as 2009.

How to Implement HSTS for Your Website

If you employ subdomains in your content structure, you will need a Wildcard Certificate to cover HTTPS ONLY. Otherwise, you're pretty safe with a Domain Validated, Organization Validated or Extended Validation SSL Certificate. Make sure you have these installed and working correctly.

The initial stages below will test your web applications, user login and session management. It will expire HSTS every 5 minutes. Continue to test for one week and one month. Fix any issues that may arise in your deployment. Modify max-age=xxx. One week = 604800; One Month = 2592000. Append preload after your tests are completed.

After you are confident that HSTS is working with your web applications, modify max-age to 63072000. That will be two years. This is what the Chromium Project wants to see in your preload submission!

HSTS Perpetual Requirements

  • Your website must have a valid SSL Certificate. You can check the validity of your SSL at GlobalSign's SSL Checker.
  • Redirect ALL HTTP links to HTTPS with a 301 Permanent Redirect.
  • All subdomains must be covered in your SSL Certificate. Consider ordering a Wildcard Certificate.
  • Serve an HSTS header on the base domain for HTTPS requests.
  • Max-age must be at least 10886400 seconds or 18 Weeks. Go for the two years value, as mentioned above!
  • The includeSubDomains directive must be specified if you have them!
  • The preload directive must be specified.

These requirements remain in effect on or after February 29, 2016. Failure to maintain these requirements will get your listing removed! If for any reason you need to remove your HTTPS ONLY domain from this list, follow this guide.

HSTS Installation for Apache Web Server

You can add this to your .htaccess file at the top level document root folder such as public_html or httpdoc

# Use HTTP Strict Transport Security to force client to use secure connections only Header always set Strict-Transport-Security "max-age=300; includeSubDomains; preload"

HSTS Installation for lighttpd

Add this to your Lighttpd configuration file /etc/lighttpd/lighttpd.conf

server.modules += ( "mod_setenv" ) $HTTP["scheme"] == "https" { setenv.add-response-header = ("Strict-Transport-Security" => "max-age=300; includeSubDomains; preload") }

HSTS Installation for NGINX

This goes in your site.conf file and I have created a modified gist with additional security parameters.

add_header Strict-Transport-Security 'max-age=300; includeSubDomains; preload; always;'

In the course of my research for NGIX settings, I discovered a government website giving out incorrect information and provided the necessary code change that forces HSTS no matter what the HTTP response code returns.

HSTS Installation for IIS Servers

protected void Application_BeginRequest(Object sender, EventArgs e) { switch (Request.Url.Scheme) { case "https": Response.AddHeader("Strict-Transport-Security", "max-age=31536000; includeSubDomains; preload"); break; case "http": var path = "https://" + Request.Url.Host + Request.Url.PathAndQuery; Response.Status = "301 Moved Permanently"; Response.AddHeader("Location", path); break; } }

Once you have installed my recommendations, go to HSTS Preloading Application Form and get your website listed in the preload list. It will take time for your domain to be included in that list.

What is HSTS Preloading?

HSTS preloading is a function built into the browser whereby a global list of hosts enforce the use of HTTPS ONLY on their site.

This list is compiled by Chromium Project and is utilized by Chrome, Firefox and Safari. These sites do not depend on the issuing of the HSTS response headers to enforce the policy. Instead, the browser is already aware that the domain name requires the use of HTTPS ONLY and pushes HSTS before any connection or communication even takes place.

This removes the opportunity an attacker has to intercept and tamper with redirects over HTTP. The HSTS response header is still needed in this scenario and must be left in place for those browsers that don’t use preloaded HSTS lists.

References

HTTP Strict Transport Security has been around for almost eight years now. This HTTPS Only policy in your web infrastructure will keep the bad guys out and your sensitive data secure. It takes merely minutes to install by your webmaster or web hosting service and will boost your SSL score with GlobalSign’s SSL Checker.

HSTS References

  1. HTTP Strict Transport Security
  2. Google Starts Giving A Ranking Boost To Secure HTTPS/SSL Sites
  3. Google I/O 2014 - HTTPS Everywhere
  4. Bringing HSTS to www.google.com
  5. Strict Transport Security W3 List Archives
  6. Compliance Guide OMB - CIO
  7. Policy to Require Secure Connections across Federal Websites and Web Services

About Denver

Denver is President of StrikeHawk eCommerce, Inc. and have been involved in secure webhosting since 2005. is an open source software evangelist through many open source projects on the web. He is the co-founder of StrikHawk eCommerce, Inc. who specialize in securely hosting open source eCommerce web applications. Denver currently resides in Southern United States of America.

StrikeHawk eCommerce, Inc. offers shared hosting, cloud and dedicated hosting with full support for various shopping cart applications such as PrestaShop, Woocommerce and WHMCS. Strikehawk is also an authorized reseller of GlobalSign products and services.

Share this Post

Write for Us

Apply Now

Subscribe to our Blog