Secure web communications using HTTPS isn’t anything fancy anymore these days. It ensures traffic from a user to your web application cannot be eavesdropped or tampered with, given it has been set up securely using SSL/TLS. But, do you trust your web application’s code to entirely disregard unencrypted requests? Are you sure your Apache/IIS is configured properly to redirect http to https all the time? How can you be sure your users, which never bother typing in explicitly the https:// part of your URL, won’t be affected by the SSLstrip attack?

Well, sometimes you may be pretty confident about your server configuration – but there are certainly occasions where you simply can’t. So, wouldn’t it be great if the user’s browser could be told to refuse unencrypted channels for a domain at all? And even remember that decision for a defined time span?
This is where HSTS comes into play. That acronym stands for “HTTP Strict Transport Security” and defines a fairly new HTTP response header that forces a user agent to solely interact with the server using HTTPS. It has been officially approved by IESG on 2nd October 2012 and is specified in RFC 6797. Let’s have a look at it:

Strict-Transport-Security: max-age=2628000

That response header causes a modern browser with HSTS support to never ever interact with the server in an unencrypted way for one month. So, in case your web application accidentally issues a non-https redirect (or anything else happens that would cause a non-https connection – e.g. a JavaScript or CSS resource loaded over http from the same domain), the user’s browser would simply use https instead. This web security policy mechanism can be enhanced by specifying the optional subdomains flag. That way, and not very surprisingly, all accordant sub domains are also put into the HSTS scope:

Strict-Transport-Security: max-age=2628000; includeSubDomains

Setting the max-age value to a month is the default recommendation, but this parameter should take the common usage pattern of your website into account. If your users connect themselves only once a month, you might want to extend the max-age period to avoid having the HSTS value expire.

Downsides? Sure.

The very initial request to a HSTS web site may still be http and thus exposed to a standard Man-In-The-Middle attack (Bootstrap MITM). In that phase, an attacker could tamper with the HSTS response header and inject invalid subdomains (DoS), disable HSTS (set max-age to 0) or poison the HSTS cache of the user agent otherwise. However, wrongly stored HSTS policies can be simply removed by clearing the local browser cache.

Another downside is rather an organizational one: once you have pushed an HSTS policy to your clients, you are no longer as free to switch back to non-https connections, of course. Their browser is configured to ignore http for the time span you have defined. Simple fix: Push a temporary policy with ‘max-age=0’ to disable it again. Also, the process of keeping your certificates valid must be properly implemented. With HSTS, there is zero tolerance for problems with respect to SSL certificates as the user is no longer able to bypass SSL warnings and “click through”.

Use it? Yes!

The advantages of HSTS clearly outweigh its downsides. It even defeats some issues it wasn’t planned for: HSTS helps in fixing mixed-content issues, defends against the cookie value being sent in plain text (in case you don’t set its ‘secure’ flag), and it may even reduce network latency by saving superfluous http-to-https redirects. Unfortunately, not all browsers support it yet, most prominently Internet Explorer. However, given HSTS was just officially approved, Microsoft will probably need to introduce it soon.

References: