Understand how HSTS (HTTP Strict Transport Security) works and how it protects you on the internet

HSTS (HTTP Strict Transport Security) is a web security technique that helps you protect against the likes of downgrade attacks, MITM (Man in the middle) attacks, and session hijacking. HSTS accomplishes this by forcing web browsers to communicate over HTTPS and rejecting requests to use insecure HTTP.

Originally drafted in 2009 by a group of PayPal employees, HSTS was first published in 2012. Today, the HSTS header is recognized by IETF as Internet Standard and has specified it in RFC 6797.


You may have heard tech experts talk about not using public Wi-Fi. But the momentary urge to check your WhatsApp messages is so strong that all the wisdom goes out of the window. After all, “Who is going to hack into MY phone to see what’s in there,” right? Well, we’ve all been there. 99.99% of the times, nothing happens. We turn on our Wi-Fi, we do what we want to do and go home (well, some of us do!). But it wouldn’t be life if it was simple, right?

Contrary to the popular belief that HTTPS is completely sound and secure, it’s not. There are some loopholes even in SSL-enabled websites and hackers are pretty good at exploiting them. Even if a website is HTTPS enabled, there are chances of your identity getting stolen. This is done through a mischievous technique called ‘SSL striping’ or ‘SSL downgrade,’ also regarded as a type of Man in The Middle (MITM) attack.

As implied in the name, the hacker downgrades connection from HTTPS to HTTP. In this technique, the hacker blocks the HTTPS connection to the website’s server and establishes an HTTP connection between him/herself and user. Here, an HTTPS connection occurs but not between user and website, between hacker and website instead. Therefore, any data sent by the user will go unencrypted to the hacker first. Now if a user sends his/her credit card details or any other sensitive information, he/she is under a mountain of trouble. Therefore, even if a website has an SSL installed on it, it might still be vulnerable to data thefts.

ssl strip attack

Enter HSTS.

Now let’s say there’s a website named abc.com. If the administrators of abc.com have enabled HSTS on their website, it forces the browsers to use an HTTPS connection.  As a result, all traffic will have to come through HTTPS only. This way SSL stripping attacks are taken out of the equation (almost!). HSTS also provides an armor against the threats such as session hijacking and data snooping.

How does HSTS Work?

If you want to enable HSTS on your website, first you must add an HTTPS header to the server.

Here’s the header you should add:

Strict-Transport-Security: max-age=expireTime; includeSubDomains; preload

As far as the header is concerned, entering max-age is a must. Basically, it’s the time for which you want HSTS on your site. It should be entered in seconds. Apart from the max-age, one can enter includeSubDomains and preload flags if he/she wishes to. The flag includeSubDomains is entered to ensure that the entire website gets the protection of HSTS umbrella including its subdomains. Although it’s not necessary to include it in the header, we highly recommend it. The preload flag you see at the end of the header is used to inform the browsers that the website has been added to the HSTS preload list. You should include preload only if you have preloaded your domain(s). If not, leave it blank.

Once you add the header to your web server, it ensures that the connection is made only via the HTTPS tunnel. However, this too has its own pitfall. The web browsers will obey web server’s HSTS order only if the first visit comes by means of HTTPS protocol. If the first visit made is over an HTTP connection, the browsers will reject the header and function as they used to.

green padlockIn 2017, HTTPS has become a minimum standard from a security point of view. As it always happens, hackers have come up with ways to bypass SSL. HSTS represents a powerful solution to the possible dangers. Some of the biggest names on the internet including Google comply with the HSTS policy to make the internet a safer place for everyone.

Last but not the least, avoid using public Wi-fi as much as you can. And if you have to, DO NOT send any sensitive information because you never know!!!

Resources to Read


Welcome to Savvy Security, a blog focused on providing practical cybersecurity advice for website owners and small businesses. Our team brings you the latest news, best practices and tips you can use to protect your business...without a multi-million dollar budget or 24/7 security teams.