What is HTTP Strict Transport Security ?
HTTP Strict Transport Security or HSTS is a web security policy mechanism that helps websites to prevent various attacks like Protocol Downgrade Attacks and Cookie Hijacking (To know more on Cookie Hijacking : What is Cookie Hijacking ?) Using this HSTS policy, webapplications declare to web browsers that only a secure HTTPS connection should be used to interact with the website and insecure HTTP protocol should never be used up to a certain specified time, for example one year.
Why do we need HTTP Strict Transport Security ?
When a web browser connects with a website, normally there is no way for the browser to know whether the website uses secure HTTPS connection (How does HTTPS work ?) or an insecure HTTP connection. So, if the webserver establishes an insecure HTTP connection, there is no way for the web browser to know whether it was meant to be a HTTP connection or an insecure connection is established because of an attack.
For example, in a Protocol Downgrade Attack, the attacker intercepts the initial conversation between the web browser and the webserver and changes the actual conversation in such a way that both the webserver and the web browser are tricked to believe that the connection was meant to be an insecure unencrypted connection only. They will think SSL/TLS is not implemented. And then, the attacker is free to steal sensitive data transferred over the insecure connection. You would find details of such an attack here : TLS Downgrade Attack For Email Transport.
HTTP Strict Transport Policy or HSTS is a policy that can safeguard websites from these attacks. Using this policy, the webserver sends a header to the web browser and lets it know that all connections made to the website is means to be a secure HTTPS connections. So, if the web browser finds anything otherwise, an error message is displayed (e.g. The server’s TLS certificate is not trusted) and the user gets warned about a possible attack.
How is HTTP Strict Transport Security implemented ?
HTTP Strict Transport Security or HSTS is implemented in the following manner :
- When a web browser connects with the webserver for the first time or first time after a certain interval, the webserver sends a header to the web browser , e.g. Strict-Transport-Security: max-age=31536000, to indicate that all connections made to the website for that interval max-age, one year in this example, should be a secure HTTPS connection.
- The web browser turns any insecure http link referring to the website into a secure https link.
- Now onward, up to the max-age time, if any connection to the website fails to be a secure connection, an error message (e.g. The server’s TLS certificate is not trusted) is displayed to the user, so that the user can be warned in advance about a possible attack.
Limitation of HTTP Strict Transport Security
When a web browser connects with the webserver for the first time or the first time after the certain …