![\"ssl](\"https:\/\/cheapsslsecurity.com\/blog\/wp-content\/uploads\/2017\/10\/ssl-strip-attack.png\")
<\/p>\nHSTS (HTTP Strict Transport Security) is a web security technique that helps you protect against the likes of downgrade attacks, MITM (Man in the middle) attacks, and session hijacking. HSTS accomplishes this by forcing web browsers to communicate over HTTPS and rejecting requests to use insecure HTTP.<\/p>\n
Originally drafted in 2009 by a group of PayPal employees, HSTS was first published in 2012. Today, the HSTS header is recognized by IETF as Internet Standard and has specified it in RFC 6797.<\/p>\n
You may have heard tech experts talk about not using public Wi-Fi. But the momentary urge to check your WhatsApp messages is so strong that all the wisdom goes out of the window. After all, \u201cWho is going to hack into MY phone to see what\u2019s in there,\u201d right? Well, we\u2019ve all been there. 99.99% of the times, nothing happens. We turn on our Wi-Fi, we do what we want to do and go home (well, some of us do!). But it wouldn\u2019t be life if it was simple, right?<\/p>\n
Contrary to the popular belief that HTTPS is completely sound and secure, it\u2019s not. There are some loopholes even in SSL-enabled websites and hackers are pretty good at exploiting them. Even if a website is HTTPS enabled, there are chances of your identity getting stolen. This is done through a mischievous technique called \u2018SSL striping\u2019 or \u2018SSL downgrade,\u2019 also regarded as a type of Man in The Middle (MITM) attack.<\/p>\n
As implied in the name, the hacker downgrades connection from HTTPS to HTTP. In this technique, the hacker blocks the HTTPS connection to the website\u2019s server and establishes an HTTP connection between him\/herself and user. Here, an HTTPS connection occurs but not between user and website, between hacker and website instead. Therefore, any data sent by the user will go unencrypted to the hacker first. Now if a user sends his\/her credit card details or any other sensitive information, he\/she is under a mountain of trouble. Therefore, even if a website has an SSL installed on it, it might still be vulnerable to data thefts.<\/p>\n
<\/p>\n
Enter HSTS.<\/strong><\/p>\n Now let\u2019s say there\u2019s a website named abc.com. If the administrators of abc.com have enabled HSTS on their website, it forces the browsers to use an HTTPS connection.\u00a0 As a result, all traffic will have to come through HTTPS only. This way SSL stripping attacks are taken out of the equation (almost!). HSTS also provides an armor against the threats such as session hijacking and data snooping.<\/p>\n If you want to enable HSTS on your website, first you must add an HTTPS header to the server.<\/p>\n Here\u2019s the header you should add:<\/p>\n As far as the header is concerned, entering max-age is a must. Basically, it\u2019s the time for which you want HSTS on your site. It should be entered in seconds. Apart from the max-age, one can enter includeSubDomains <\/strong>and preload<\/strong> flags if he\/she wishes to. The flag includeSubDomains <\/strong>is entered to ensure that the entire website gets the protection of HSTS umbrella including its subdomains. Although it\u2019s not necessary to include it in the header, we highly recommend it. The preload<\/strong> flag you see at the end of the header is used to inform the browsers that the website has been added to the HSTS preload list. You should include preload<\/strong> only if you have preloaded your domain(s). If not, leave it blank.<\/p>\n Once you add the header to your web server, it ensures that the connection is made only via the HTTPS tunnel. However, this too has its own pitfall. The web browsers will obey web server\u2019s HSTS order only if the first visit comes by means of HTTPS protocol. If the first visit made is over an HTTP connection, the browsers will reject the header and function as they used to. Last but not the least, avoid using public Wi-fi as much as you can. And if you have to, DO NOT send any sensitive information because you never know!!!<\/p>\n <\/p>\nHow does HSTS Work?<\/h3>\n
Strict-Transport-Security: max-age=expireTime; includeSubDomains; preload<\/pre>\n
\n <\/p>\n![\"green](\"https:\/\/cheapsslsecurity.com\/blog\/wp-content\/uploads\/2018\/09\/ssl-lock-icon.png\"){kind=icon}
In 2017, HTTPS has become a minimum standard from a security point of view. As it always happens, hackers have come up with ways to bypass SSL. HSTS represents a powerful solution to the possible dangers. Some of the biggest names on the internet including Google comply with the HSTS policy to make the internet a safer place for everyone.<\/p>\nResources to Read<\/strong><\/h3>\n