HTTP Headers
Strict Transport Security
The HTTP Strict-Transport-Security
response header (often abbreviated as HSTS) indicates to browsers that a website should only be accessed via HTTPS. It ensures that any future attempts to connect using HTTP are automatically redirected to HTTPS, enhancing security by reducing the risk of protocol downgrade attacks.
This header is a response header and does not act as a forbidden request header. It instructs compliant browsers to enforce secure connections with the server.
Syntax
HTTP Strict Transport Security (HSTS) headers are used to inform browsers that they should interact with the website only over secure connections (HTTPS). Here are the typical formats:
Strict-Transport-Security: max-age=<expire-time>
Strict-Transport-Security: max-age=<expire-time> includeSubDomains
Strict-Transport-Security: max-age=<expire-time> includeSubDomains; preload
Directives
max-age=<expire-time>
- The duration, in seconds, that the browser should remember that a site is restricted to HTTPS access only.
includeSubDomains
Optional
- If specified, this rule applies to all subdomains of the site as well, extending the security policy.
preload
Optional
- Refer to Preloading Strict Transport Security for detailed information. When including
preload
, ensure that themax-age
directive is at least31536000
(equivalent to 1 year), and theincludeSubDomains
directive is present. Note thatpreload
is not officially part of the standard specifications.
Example
If a website accepts a connection through HTTP and redirects to HTTPS, visitors may initially communicate with the non-encrypted version of the site before being redirected. This can happen, for example, if a visitor types http://www.foo.com/ or just foo.com.
This creates an opportunity for a man-in-the-middle attack.
The redirect could be exploited to direct visitors to a malicious site instead of the secure version of the original site.
The Strict-Transport-Security
header informs the browser that it should never load a site using HTTP and should automatically convert all attempts to access the site using HTTP to HTTPS requests instead.
Imagine you log into a free Wi-Fi network at an airport and begin browsing the web, checking your online banking balance and paying bills.
Unfortunately, if the network is operated by a hacker, they could intercept your original HTTP request and redirect you to a clone of your bank’s site rather than the real one, exposing your sensitive data.
Strict Transport Security addresses this issue; once you’ve accessed your bank’s website using HTTPS and if the website utilizes Strict Transport Security, your browser will remember to connect only via HTTPS in the future. This prevents hackers from performing man-in-the-middle attacks.
The first time you access a site via HTTPS and the server returns the Strict-Transport-Security
header, your browser records this information. Future attempts to load the site over HTTP will automatically switch to HTTPS.
After the duration specified by the max-age
in the header expires, the browser will revert to normal behavior and attempt to load the site over HTTP unless the header is refreshed. When the header is sent again, it updates the expiration time, ensuring continued protection.
If needed, you can disable Strict Transport Security immediately by setting the max-age
to 0
over an HTTPS connection, which expires the policy and allows HTTP access.
Google offers an HSTS preload service. By following the submission guidelines and submitting your domain, browsers will connect to your site only through secure connections. Though maintained by Google, the preload list is used by all major browsers. Keep in mind this is not officially part of the HSTS specification.
- Find out more about the HSTS preload list in Chrome: https://www.chromium.org/hsts/
- Consult the Firefox HSTS preload list: nsSTSPreloadList.inc
Examples
Using Strict-Transport-Security
All current and future subdomains will be HTTPS for a max-age
of one year. This prevents access to pages or subdomains that require HTTP.
Example header:
Strict-Transport-Security: max-age=31536000; includeSubDomains
While a one-year max-age
is acceptable, two years is recommended on https://hstspreload.org.
In this example, max-age
is set to two years (63072000 seconds), and includes preload
which is required for web browsers to add your site to their preload list, ensuring your entire site is served only over HTTPS:
Example header:
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
How to Modify Header using Requestly
Requestly is a useful Chrome extension that lets you modify HTTP headers, including the Strict Transport Security header. This helps you test how your website behaves with different security policies during development or troubleshooting. Steps to Modify the Strict Transport Security Header:
- Install and open the Requestly Chrome extension. You can find it on the Chrome Web Store.
- Create a new rule: Click on “Create Rule” and choose “Modify Headers” from the list of available rule types.
- Add a new header modification:
- Under “Action”, select “Add” or “Override”.
- In the “Header Name” field, enter Strict-Transport-Security.
- In the “Header Value” field, enter your desired security policy (e.g., max-age=31536000; includeSubDomains).
- Set the URL condition: Specify the URL or pattern where this header change should apply (e.g., https://your-website.com/*).
- Save the rule.
After setup, Requestly will add or override the Strict Transport Security header in all matching requests, allowing you to test how your site enforces secure connections and security policies.
You might need to modify this header to check how your website behaves with different security settings or to simulate environments where strict HTTPS enforcement is applied or removed. This helps ensure your site handles security policies correctly before deploying them live.
Table of Contents
- No headings found.