Tuesday, November 12, 2024
HomeSSL/TLSHTTPS Strict Transport Security (HSTS): What is It and How it Works?

HTTPS Strict Transport Security (HSTS): What is It and How it Works?

Published on

Malware protection

Have you got HTTPS protocol working on your web server? If you answered in yes, that’s great. But have you got the HTTPS Strict Transport Security (HSTS) Policy implemented? I guess your answer is NO… and if it is true, then I’d like to tell you that it’s not a very wise thing. Why? We’ll try to understand that in this article:

The Problem with HTTP

While HTTP is a great protocol that was instrumental in starting the journey of World Wide Web, it has some weaknesses that make it a bad choice for confidential communications. The data transferred using an HTTP connection is transferred as it is, which means if someone can eavesdrop on your data packets he/she can see the entire content going through your HTTP connection (such attacks are called man-in-the-middle attacks). When you’re dealing with secure data (i.e. usernames, passwords, financial information etc.), this can become a major problem as leakage of such data can turn out to be very costly.

The Solution: HTTPS

This led to the development of HTTP Secure or HTTPS. This protocol is essentially HTTP, except for the difference that it encrypts the data being transferred between you and your server. So when you submit some data to a website with HTTPS connection, no one can see it except for you and the site to which you submitted it. But still problems.

- Advertisement - SIEM as a Service

But, There’s Still a Problem

So far, so good. However, there one small caveat. And that small caveat can be used by hackers to bypass HTTPS encryption and fool your browser into communicating over insecure HTTP protocol instead. Such attacks are known as protocol downgrade attacks, and with them, an attacker can keep you away from ever using HTTPS for any particular website.

But How’s It Possible?

The protocol downgrade attacks become possible due to a design flaw of HTTP and HTTPS. The thing is that when you first enter a website address in your browser or click a link, your browser tries to connect to that site via HTTP protocol. Now, if that site uses HTTPS, its server tells your browser to communicate with it over HTTPS instead.

Only then your browser proceeds the connection via secure HTTPS protocol. But the first request in this whole process was sent over HTTP… and that’s where a cyber criminal can do his trick.

Also Read MITM attack over HTTPS connection with SSLStrip

The cyber criminal can impersonate the web server of that site and then in first request (which is sent over HTTP) itself he can present the client with a web page that’s exact copy of the original web page residing on your server, but which will send the username and password to him instead. The attacker can then follow this strategy again and again… thus keeping the user away from ever using HTTPS protocol to communicate with your site.

The Solution: HTTP Strict Transport Security (HSTS)

The solution to this problem of protocol downgrade attacks is HTTP Strict Transport Security policy. What this policy does is telling the web browsers to communicate with your site over HTTPS protocol only and never use HTTP. After that message is communicated the browser remembers that it shouldn’t try to communicate with your website over HTTP, and initiates future requests to your site from HTTPS itself.

Besides that, all popular browsers also come with their own preloaded HSTS lists to which they can refer and figure out whether a website uses HSTS or not. This makes protocol downgrade attacks increasingly difficult.

How HSTS Works

The HSTS policy is enabled by adding the following field to your HTTPS response header:
Strict-Transport-Security: max-age=expireTime [; includeSubdomains]
This field communicates to the browser that your server wants to be accessed over HTTPS protocol only. The

The expire time value tells the browser about time duration for which your site should be accessed via HTTPS protocol only, and with include subdomains value you can apply the same policy to your desired sub domains as well in one go.

Once your website has communicated to popular web browsers with this HSTS policy for some time, the browser makers can also include your site to their pre-loaded list of HSTS sites, a post which your browser will not even need the above-given header to know whether you’ve HSTS enabled or not.

Conclusion

HSTS is a robust policy that you must implement in your web server to make it more secure in general. It’s especially important if your site requires the transfer of sensitive user data. Implement it today to provide the best possible security to your visitors.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

10 Best DNS Management Tools – 2025

Best DNS Management Tools play a crucial role in efficiently managing domain names and...

Sweet Security Announces Availability of its Cloud Native Detection & Response Platform on the AWS Marketplace

Customers can now easily integrate Sweet’s runtime detection and response platform into their AWS...

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

10 Best DNS Management Tools – 2025

Best DNS Management Tools play a crucial role in efficiently managing domain names and...

10 Best Linux Distributions In 2024

The Linux Distros is generally acknowledged as the third of the holy triplet of...

Top 10 Best Penetration Testing Companies & Services in 2024

Penetration Testing Companies are pillars of information security; nothing is more important than ensuring...