Read Case Study > Jesse Tutt
Founder & CEO
Struggling to tell your APIs from your CDNs? Read our comprehensive cloud computing glossary covering the most common terms.
< Back to glossary
HTTP Strict Transport Security (HSTS) is a web security policy feature that assists in guarding websites against man-in-the-middle attacks by enforcing that web browsers always communicate with the site securely over HTTPS rather than insecure HTTP. It is enforced via an explicit HTTP response header called Strict-Transport-Security, which tells browsers to use HTTPS alone for subsequent interaction with the site.
Initial Connection: Upon the first time a user loads a website over HTTPS, the server sends back an HSTS header, containing a max-age directive that dictates how long the browser should retain the instruction to use HTTPS.
Browser Behavior: The browser caches this data and automatically replaces all subsequent HTTP requests with HTTPS for the time indicated16. This does not allow attackers to redirect users to unsafe HTTP connections.
Protection Against Attacks: HSTS guards against protocol downgrade attacks, including SSL stripping, in which an attacker forces the browser to use HTTP in place of HTTPS, making it possible for the attacker to sniff sensitive information.
Security: Ensures that all communications between the browser and the website are encrypted, preventing eavesdropping and tampering.
Prevention of Certificate Warnings: Users cannot bypass warnings about invalid SSL certificates, further enhancing security.
Subdomain Protection: The includeSubDomains directive can be used to apply HSTS to all subdomains of a site.
Imagine a user logging into their online banking account using a public Wi-Fi connection. Without HSTS, the attacker would be able to intercept the first HTTP request and divert the user to an imposter site. But if the bank website employs HSTS, the browser will use HTTPS by default, avoiding such attacks and keeping the user’s information safe.
Implementation: Make your site available on HTTPS before putting HSTS in place to prevent access problems.
Preloading: Include your website on the HSTS preload list to get secure protection on the initial visit.
Browser Support: The majority of top browsers offer HSTS, though older or mobile browsers will not.
In short, HSTS is an important security practice that strengthens the security of web applications by requiring HTTPS connections and defending against man-in-the-middle attacks. With knowledge of how HSTS functions and proper implementation, websites can greatly enhance their security stance.
