HSTS (HTTP Strict Transport Security)

Definition

HSTS is a web security policy mechanism that protects websites against protocol downgrade attacks and cookie hijacking. When a browser receives an HSTS header, it will only connect to the site over HTTPS for a specified period, never over HTTP.

HSTS prevents attackers from intercepting the initial HTTP request and redirecting the user to a malicious site or performing a man-in-the-middle attack.

How HSTS Works

First visit:
  User → http://example.com → Server → "Strict-Transport-Security: max-age=31536000; includeSubDomains"
  Browser stores HSTS policy locally

Subsequent visits:
  User → http://example.com → Browser → (auto-redirect to https://example.com)
  User → https://example.com → Server → (serve content)

The browser enforces HTTPS before ever making an HTTP request, eliminating the initial downgrade attack vector.

HSTS Header

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Directive Purpose
max-age=seconds How long (in seconds) to enforce HSTS
includeSubDomains Apply HSTS to all subdomains
preload Opt-in to browser HSTS preload lists

HSTS Preload

Browsers maintain preloaded HSTS lists that are built into the browser. Sites on the preload list are always accessed over HTTPS, even on first visit (before any HSTS header is received).

HSTS Best Practices

  • Start with: max-age=31536000 (1 year)
  • Add: includeSubDomains for coverage
  • Add: preload if you meet preload requirements
  • Test: https://securityheaders.com/ for HSTS validation
  • Monitor: Use HSTS preload checker before submitting

HSTS Limitations

  • First visit vulnerability: Without preload, first visit is still HTTP
  • Self-signed certs: HSTS blocks access to self-signed HTTPS sites
  • Admin override: Administrators can bypass HSTS (security risk)
  • Not a silver bullet: Does not protect against all attacks (e.g., phishing)
  • Tls — HSTS ensures HTTPS-only connections
  • Ssl — HSTS requires valid TLS certificates

References