A term sometimes thrown around in the web hosting and security space is HSTS. Today, we are going to examine this “protocol”, and how it is put in place to protect your information.
HSTS stands for HTTP Strict-Transport-Security. Though, don’t confuse it with HTTP or SSL, which have their own important functions. HSTS is a straightforward idea through which a web server informs a client’s web browser how to handle a secure connection using a header sent in that same connection. The header will force a user to use HTTPS on a site that is HSTS enforced. It does this through a parameter called “max-age”.
This parameter is the time (in seconds) that the web server defined how long it should force that client to use HTTPS while connected to their site. It will also not allow the loading of any scripts that use HTTP to be delivered to the client. All browsers today support this function and use it.
Implementing HSTS and forcing users to use HTTPS on your website helps because, according to a White House memorandum it “…reduces the number of insecure redirects, and protects users against attacks that attempt to downgrade connections to plain HTTP”.
For example, if you had logged into Facebook on HTTPS, then you would have also used HSTS. Because of this, if you clicked link to Facebook over HTTP like http://facebook.com a week later, your browser will automatically redirect to HTTPS because of HSTS. In this way, if that link were attempting to take advantage of the unsecured HTTP connection to perform a Man-in-The-Middle attack or other compromise like cookie hijacking, you would not be affected because you were using HTTPS.
There is still a window where a user who uses a fresh install is vulnerable to attacks. To counter the issue, a process called pre-loading is used. Chromium has already thought out this issue though, “Chrome maintains an “HSTS Preload List” (and other browsers maintain lists based on the Chrome list). These domains will be configured with HSTS out of the box. “. Chrome does this as a trusted list of websites that include Google, Facebook, and Paypal.
Anyone can get on the preload list, as long as they fulfill the requirements. The site https://hstspreload.org/ will tell you if the site you enter is eligible for preloading. We would encourage you to get your site on the list!