HTTP Strict Transport Security (HSTS) is an opt-in browser security mechanism that lets web site owners declare “Encrypted Communications Only”.<\/p>\n
Strict-Transport-Security HTTP header instructs browsers to only communicate with the domain over SSL\/TLS for a set period of time (the max-age). HSTS only goes into effect after a browser receives a valid header from the domain. HSTS is to ensure unencrypted communication is not allowed on your domain or site to mitigate attacks such as SSL-stripping.<\/p>\n
The HSTS Header<\/strong><\/p>\n Testing:<\/p>\n https:\/\/securityheaders.com\/<\/p>\n The max-age parameter value is in seconds; 31536000 seconds equals 365 days. Notice how the above also uses includeSubDomains. This optional parameter informs the browser to force secure communication to the site’s subdomains as well.<\/p>\n Browsers must receive the Strict-Transport-Security header over an HTTPS connection with the domain; HSTS headers over HTTP are not recognized as valid.<\/p>\n Threat Mitigation<\/strong> 1. HTTP request to an HTTPS site The above scenario allows for a man-in-the-middle attack as a result of the unintentional HTTP request to SecureSite.com. An attacker can leverage a tool such as ssltrip to transparently hijack the HTTP request prior to the 301 redirect. HSTS eliminates this attack window as long as the user previously accessed SecureSite.com over HTTPS and obtained the HSTS header.<\/p>\n Even with HSTS enabled, a user’s initial request to SecureSite.com would remain unprotected from attacks. As a result, both Chrome and Mozilla introduced HSTS preload lists. If SecureSite.com is on Chrome’s HSTS preload list, a freshly installed Chrome browser will only allow secure connections to that site, even if the user never accessed it before.<\/p>\n 2. Insecure link referencing an HSTS enabled site<\/p>\n For example:<\/p>\n 1. Forum.com includes a link to http:\/\/SecureSite.com HSTS displays an error message as shown below. In addition, it will NOT allow the user to override the error message, thus preventing a potential attack by ensuring the victim does not accept the bad certificate.<\/p>\n Enabling HSTS Afterwards, restart Apache and test the configuration change:<\/p>\n In Nginx, update nginx.conf:<\/p>\n In Rails, HSTS can be enabled with the following:<\/p>\n HSTS Preload Lists Add your site using using the following: Firefox Firefox does not maintain their own list; instead, they use a subset of Google’s. Firefox only accepts sites on Google’s preload list that have a max-age greater than or equal to 18 weeks (10886400 seconds). See https:\/\/blog.mozilla.org\/security\/2012\/11\/01\/preloading-hsts\/ for more information.<\/p>\n Testing HSTS – In Chrome, type the below to determine if a host is in your STS cache – In Firefox, you can use the Strict Transport Security Detector add-on to see if the site supports HSTS (https:\/\/addons.mozilla.org\/en-US\/firefox\/addon\/strict-transport-security-d\/)<\/p>\n Source: http:\/\/blog.nvisium.com\/2014\/04\/is-your-site-hsts-enabled.html<\/p>\n","protected":false},"excerpt":{"rendered":" HTTP Strict Transport Security (HSTS) is an opt-in browser security mechanism that lets web site owners declare “Encrypted Communications Only”. Strict-Transport-Security HTTP header instructs browsers to only communicate with the domain over SSL\/TLS for a set period of time (the max-age). HSTS only goes into effect after a browser receives a valid header from the … Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,111],"tags":[],"class_list":["post-1447","post","type-post","status-publish","format-standard","hentry","category-apache","category-sslcertificates"],"_links":{"self":[{"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/posts\/1447","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/comments?post=1447"}],"version-history":[{"count":2,"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/posts\/1447\/revisions"}],"predecessor-version":[{"id":9002,"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/posts\/1447\/revisions\/9002"}],"wp:attachment":[{"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/media?parent=1447"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/categories?post=1447"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/tags?post=1447"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}\n\nStrict-Transport-Security: max-age:31536000; includeSubDomains \n\n<\/pre>\n
\nHSTS mitigates the following threats.<\/p>\n
\nFor example:
\n1. User wants to visit SecureSite.com
\n2. User types SecureSite.com into the address bar
\n3. Browser automatically appends “http:\/\/” making the following request: http:\/\/SecureSite.com
\n4. Server responds with 301 (permanent redirect) to the following location: https:\/\/SecureSite.com
\n5. Browser makes request to above URL<\/p>\n
\n2. HSTS will automatically convert the link to HTTPS for the HSTS-enabled site
\n3. Invalid Certificate
\nThe following would be considered invalid certificates:
\n– Self-signed and\/or untrusted CA signed certificate
\n– Expired
\n– Wrong name specified
\n– …<\/p>\n
\nYou can enable HSTS in Apache with mod headers and the following line in your configuration:<\/p>\n\n\n<IfModule mod_headers.c>\n# this domain should only be contacted in HTTPS for the next 6 months\nHeader add Strict-Transport-Security "max-age=15768000"\n<\/IfModule> \n\n<\/pre>\n
\n\n# curl -si nvisium.com | grep ^Strict\nStrict-Transport-Security: max-age=31536000 \n\n<\/pre>\n
\n\n# add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; \n\n<\/pre>\n
\n\n# config.force_ssl = true\n<\/pre>\n
\nChrome
\nCode repository:
\nhttps:\/\/src.chromium.org\/viewvc\/chrome\/trunk\/src\/net\/http\/transport_security_state_static.json<\/p>\n
\nhttps:\/\/hstspreload.appspot.com<\/p>\n
\nCode repository:
\nhttp:\/\/dxr.mozilla.org\/mozillacentral\/source\/security\/manager\/boot\/src\/nsSTSPreloadList.inc<\/p>\n
\n– Leverage an intercepting proxy (e.g. Burp) or browser tools (e.g. Chrome DevTools \/ Firefox Developer Tools) to examine server responses<\/p>\n
\nchrome:\/\/net-internals\/#hsts<\/p>\n