Experts Blog

HTTP Strict Transport Security

  • Unic Author

HTTP Strict Transport Security (HSTS) is an easy to implement measure that improves security of websites that are fully reachable thorugh TLS (SSL).

How to implement the header

«HTTP Strict Transport Security (HSTS) is an opt-in security enhancement that is specified by a web application through the use of a special response header. Once a supported browser receives this header that browser will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS. It also prevents HTTPS click through prompts on browsers.» [1]  The standard is descriced in detail in RFC6797 [2].

The header is very simple to implement: Strict-Transport-Security: max-age=<in seconds>

Optionally, subdomains can be included and some browsers can be instructed to preload the header. Domains can also be submitted manually to the preload list: https://hstspreload.org/ - but this requires a valid HSTS header first.

Once you request HSTS to be implemented, there are two elements to be checked first:

  1. Does the whole website use TLS exclusively (including any external content included)? If yes, then HSTS can be implemented at least without subdomains.
  2. Does the affected domain have any subdomains (i.e. vpn.unic.com) that are not TLS-enabled?
    If no, the subdomains can be included or of all subdomains are TLS-enabled, then includeSubDomains can be set.

The following table shall provide help which header to implement. A shorter max-age allows a faster reaction in case anything goes wrong.

How to choose which header to set

As such, we recommend the following approach (adapted from [3]).

  1. Ensure all content of the site works properly over HTTPS.
  2. Examine and fix any redirects - especially from HTTP to HTTPS and from domain to subdomain (i.e. unic.com to www.unic.com).
  3. Ensure the TLS certificate and the complete chain is valid for the domain and any subdomains redirects point to.
  4. Add the Strict-Transport-Security header to all HTTPS responses and ramp up the max-age in stages, using the following header values: 5 minutes, 1 week, 1 month. During each stage, fix any problems that come up and then wait for the full max-age of the stage before you move on (e.g. wait a month in the last stage).
  5. Once you're confident that there will be no more issues, increase the max-age to 1 year.
  6. Examine all subdomains (and nested subdomains) of your site and make sure that they work properly over HTTPS.
  7. For best security, set: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload.
  8. Submit the site to be preloaded via https://hstspreload.org.

Redirects and Subdomains

Ideally, the HSTS header is set on the top level domain independent of the protocol. It's important for any redirect to first go to https and only then to any subdomain, i.e.: unic.com -> http://unic.com -> https://unic.com -> https://www.unic.com. Otherwise, it's not possible to submit the domain to the preload include list.

How to set HSTS headers

We will configure HSTS headers on our F5 BigIP Loadbalancer, to eliminate any chance of creating availability problems with internal virtual hosts that have HTTPS terminated on the load balancer.
Tools: You can use https://app.upguard.com/webscan or https://www.ssllabs.com/ssltest/ to check for HSTS headers.

Enabling HSTS is a simple, yet effective way to increase the security of your users, data, and websites. 

Sources:

[1] https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet
[2] https://tools.ietf.org/html/rfc6797
[3] https://hstspreload.org