HTTP strict transport security (HSTS) is a response header which tells your browser that it can only access sites with HTTPS. It is a security layer which is lesser known to the masses. It can help secure your site, make it more responsive, and improve your search engine optimisation ranking as well.
To understand how it works you need a little lesson on HTTPS. Now, HTTPS stands for Hypertext Transfer Protocol Secure. It is a more secure version of HTTP, which essentially adds an extra layer of security to the site and session of a user — safeguarding their information from hackers.
As you can see, this feature can be a boon for websites with a massive influx of traffic. Like, say an e-commerce website or a banking/transaction site where sensitive data is transferred. HTTPS is also a crucial factor based upon which Google ranks your site on its search results. Not to mention the boost in speed achieved by skipping the HTTP version and directly going on to the HTTPS version of the site.
Although, HSTS is not entirely tamper-proof (which, we’ll get to in a bit.) It’s still secure and faster than https which makes it favourable to most big e-commerce and other transaction sites.
You see as we mentioned earlier HSTS is not entirely a tamper-proof. Perpetrators can pull a sneaky one by a technique called “SSL Stripping.”
SSL Stripping is a targeted attack on a user where hackers switch the requested website with one of their own, which looks and feels like the original but strips down its encryption — that’s where it derives the stripping part of the name — and exposes the user’s sensitive credentials which, in all probability, will be misued by the hacker. SSL Stripping attacks are widely known as HTTP downgrade attacks.
These attacks often occur when the user is redirected from the merchant site to a payment portal. While it could be just milliseconds, it’s enough for a skilled hacker to do an SSL stripping on the site.
How do I avoid SSL stripping?
Always make sure you’re on an HTTPS site indicated by the green “Https://” accompanied by a padlock on the address bar while you enter sensitive information. You can also use apps like HTTPS everywhere available on Chrome to force your browser only to show you HTTP encrypted sites for better safety.
Also read: What is SSL? How does it protect a website?
How do I apply HSTS?
Before you enable HSTS, you must understand that a valid SSL certificate is a prerequisite. To allow HSTS on your site, you will need to add the HSTS header. This can be done via your hosting site or activated by yourself if you’re on a private server.
You can use this site by Chrome to submit your domain to their HSTS preload list. Some of their requirements are as follows:
- HTTP must be enabled in your site’s root domain and in all of its subdomains too.
- A valid SSL certificate is required.
- Redirect from the same host for HTTP to HTTPS if you’re listening via port 80.
- HSTS header should be served on the base domain for HTTP requests.
- Minimum “Max-Age” should be equal to or more than 31536000 seconds (i.e.1 year).
- Pre-load directive must be specified.
- Redirect form your HTTP site must still have an HSTS header.
To stay on the list, one must continue to maintain the requirements listed above failure to comply will result in automatic removal from the list.
HSTS is the future. If your site deals with transactions and sensitive data, it is an absolute no-brainer. It boosts security and gives you better load times and even a little kick to your SEO rating.
However, do note that content publishers often have trouble switching over to HTTPS as it is harder to serve ads. Unfortunately, this trend will continue on HSTS as well. However, the internet will evolve as it always has. As the pros outway the cons and there will be a workaround for these shortcomings in the future.