HSTS Explained: How HTTP Strict Transport Security (HSTS) Works

HTTP Strict Transport Security (HSTS) plays an important role in web security — ensuring secure communication between websites and the web browsers of users. 

Read on to learn about the importance of HSTS, key features such as HSTS preloading, the threats that HSTS can mitigate, and some of the limitations of the protocol.

What is HTTP Strict Transport Security (HSTS)?

HSTS is a widely used web security. Its primary objective is to ensure that web browsers access websites through HTTPS rather than HTTP. This standard was finalized by the IETF in RFC 6797 in 2012.

When a domain is HSTS-enabled, it instructs the browser to use HTTPS whenever a user clicks on an HTTP link or attempts to access a website without specifying the protocol, while also preventing users from bypassing alerts regarding invalid certificates. By automatically redirecting from HTTP to HTTPS, HSTS eliminates the possibility of insecure website access. 

The browser returns an HTTPS header when encountering an HSTS-enabled domain or a subdomain. It instructs the browser to enable HSTS and store this information for a specified duration in seconds. Any subsequent efforts to access the domain via HTTP should automatically convert to HTTPS. 

Ultimately, HSTS helps prevent man-in-the-middle attacks and ensures secure access to domains and subdomains. However, this process requires that HTTPS support all the subdomains of parent domains. 

Why is it important to use HSTS?

There are several issues associated with how browsers handle manual URL inputs and how users access websites. For example, when a user types in a web address like “test.com” in the browser address bar, the browser will automatically set the URL protocol to HTTP rather than HTTPS. Additionally, users can enter hostile networking environments capable of rewriting HTTPS links to HTTP. Users might click on outdated links that unintentionally use an HTTP URL.

Moreover, some websites may still listen on HTTP ports but redirect users to HTTP URLs. This redirection is an insecure practice that can expose users to cyberattacks such as session-cookie hijacking and other Man-In-the-Middle (MIM) attacks. 

How HSTS works

Suppose a user visits an HSTS-enabled website, "https://test.com." The website then responds with a “Strict-Transport-Security” header with an HSTS directive, indicating that all future connections should be made over HTTPS. Typically, the header includes the expiration time and specifies the applicable domain. Following is an example of a Strict-Transport-Security header that returns from an HSTS-enabled website. 

Strict-Transport-Security: max-age = 31536000; includeSubDomains

This header information instructs the browser that all subdomains will be HTTPS for one year,  blocking subdomains that only support HTTP. The browser then stores this information for the duration mentioned in the header. 

When the browser attempts to access that domain in the future, it automatically converts any attempt to access the website via HTTP to HTTPS. This conversion occurs even if the user clicks on an HTTP link within the website or manually types a subdomain without including the protocol part.

In the case of our example HSTS-enabled website, if a subdomain such as “http://test-sub.com” is encountered, the browser will automatically change it to "https://test-sub.com". This conversion occurs without needing to contact the server over HTTP, thereby ensuring secure communication. Once the specified expiration time in the Strict-Transport-Security header has passed, subsequent attempts to load the site via HTTP will resume their regular behavior instead of automatically transitioning to HTTPS. This policy gets renewed each time the browser encounters the header.

HSTS preloading 

In the Strict-Transport-Security header, there’s an optional extra parameter called ‘preloading.’ This parameter allows you to specify whether you want to be included in the HSTS preloading list or removed from it.

For users to benefit from HSTS, their browser must see the HSTS header at least once. Users are only protected once they establish a successful, secure connection to a specific HSTS-enabled domain. This initial visit occurs by redirecting users from an HTTP domain to an HTTPS domain — during such redirects, there is a possibility of missing the parent website.

If the user directly accesses the parent website, they will never encounter an HSTS policy with an includeSubDomains directive that applies to the entire domain. 

Major browsers like Chrome, Firefox, Safari, Opera, and Edge provide an "HSTS preload list" to address this issue. This list comprises domains that can be integrated into those browsers, automatically enabling Strict Transport Security, even during the initial visit. 

As this feature has been integrated into popular browsers, it can be shared to ensure consistent implementation across various platforms.

For example, in Chrome, the Chrome security team maintains a form that allows you to request to include your domains in Chrome's HTTP Strict Transport Security (HSTS) preload list. That list will be hardcoded into the Chrome browser only as HTTPS. The domain should meet specific requirements to enforce the preload and redirection from HTTP to HTTPS. These requirements include enabling HTTPS in all root and subdomains, along with the ‘long max-age’ and ‘preload’ parameters. 

During the startup or update process of the browser, it retrieves the preload list and diligently enforces the HSTS policies for the domains included in the list. It ensures that users automatically connect to these websites using HTTPS without the need for additional actions or redirections. The browsers constantly update and maintain the preload list. It involves including new lists from website owners and removing domains that no longer meet the requirements or do not want to enforce this policy anymore.

Common threats addressed by HSTS

Now let’s look at the most common threats that HSTS can minimize. 

Man-in-the-Middle (MIM) attacks

HTTP domains do not encrypt communication via the protocol. Thus, there is a higher possibility of intercepting the HTTP communication and redirecting the HTTP request to malicious websites – exactly what man in the middle attacks do. 

HSTS ensures browser requests are encrypted, preventing unauthorized parties from eavesdropping on or intercepting the communication.

Cookie hijacking

Cookie hijacking occurs when an attacker gains unauthorized access to the session cookies of a user and tries to impersonate him. HSTS helps prevent such attacks by enforcing HTTPS and ensuring that session cookies are transmitted over encrypted, secure connections. 

Protocol downgrade attacks

This is another type of MIM attack where an attacker forces users to use a weaker HTTP protocol over secure HTTPS. By requesting the browser to utilize HTTPS for subsequent requests, HTST-enabled websites prevent protocol downgrading, even if the user enters an HTTP URL.

Certificate-based MIM attacks

MIM attacks can also occur when an attacker presents an unauthorized certificate to users accessing unsecured websites. The intention behind this is to make the user trust and accept the certificate, potentially leading to security compromises. 

HSTS effectively prevents users from bypassing the warning message related to the invalid certificate.

The advantages of HSTS

HSTS brings many benefits to organizations, as listed below.

Improves web security

As described earlier, HSTS helps protect against different types of cyberattacks. The secure connection between clients and servers prevents attackers from gaining advantages from weak communication protocols. 

By enforcing HTTPS, HSTS guarantees a secure connection for users — a great first step in web app security. It also stops attackers from interfering with or stealing sensitive information like user data stored in session cookies.

Improved performance

When the user revisits an HSTS-enabled website, there is no need to validate the presence of the HSTS header again. Browsers can cache the HSTS header to eliminate retrieving it every time the user visits the website. This caching feature can improve the loading speed of the website. 

Enhances user experience and trust

When users are aware that a website is committed to enforcing HSTS and consistently using secure HTTPS, it helps to build trust in the secure usage of their websites. It also enhances its user experience by eliminating the need to navigate through websites by going through SSL certificate validations.

Simplifies implementation

Features like HSTS preloading help to apply the HSTS policies consistently across all subsequent visits, regardless of user actions or prior knowledge of the security features of the website.

Limitations of HSTS

When using HSTS, it is important to understand its limitations and take additional security measures to mitigate them. 

  • Privacy issues. When a browser visits an HSTS-enabled website, HSTS can tag those visiting browsers with identifiable information from super cookies. Such information can persist even in browser privacy modes and be utilized to identify visitors when they request different domains.
  • Ineffective for DNS-based attacks. Attackers can use DNS spoofing techniques that will use misleading domain names or artificial domains not on the HSTS Preload list to carry out DNS-based attacks. HSTS is not effective in preventing such attacks. 
  • Ineffective for TLS attacks. Despite the use of the HSTS preload list, HSTS is ineffective in addressing advanced attacks targeting the TLS (Transport Layer Security) protocol, like the BEAST or CRIME attacks. 

Implementing HSTS for security

HTTP is an important web security standard that ensures secure communication between web browsers and websites. It enforces HTTPS and prevents insecure access via HTTP. HSTS eliminates cyber threats like protocol downgrading, MIM, and session cookie hijacking. The HSTS header, combined with features like HSTS Preloading, instructs browsers to always use HTTPS and cache this information for faster subsequent visits. 

HSTS helps enhance web security, performance, and user trust. Nonetheless, it's important to be aware of the limitations of HSTS, such as privacy issues, and its ineffectiveness against DNS-based and TLS attacks. 

What is Splunk?

This posting does not necessarily represent Splunk's position, strategies or opinion.

Shanika Wickramasinghe is a software engineer by profession and a graduate in Information Technology. Her specialties are Web and Mobile Development. Shanika considers writing the best medium to learn and share her knowledge. She is passionate about everything she does, loves to travel and enjoys nature whenever she takes a break from her busy work schedule. She also writes for her Medium blog sometimes. You can connect with her on LinkedIn.