Archive for the ‘HSTS’ Category

HTTP Strict Transport Security (HSTS)

May 24th, 2011 Comments off

The issue that HSTS addresses is that users tend to type http:// at best, and omit the scheme entirely most of the time. In the latter case, browsers will insert http:// for them.

An attacker can grab that connection, manipulate it and only the most eagle eyed users might notice that it redirected to or some such. From then on, the user is under the control of the attacker, who can intercept passwords etc at will.

An HSTS enabled server can include the following header in an HTTPS reply:

Strict-Transport-Security: max-age=16070400; includeSubDomains

When the browser sees this, it will remember, for the given number of seconds, that the current domain should only be contacted over HTTPS. In the future, if the user types http:// or omits the scheme, HTTPS is the default. In fact, all requests for URLs in the current domain will be redirected to HTTPS. (So you have to make sure that you can serve them all!).

For more details, see the specification at

HSTS is supported in Google Chrome, Firefox 4, and the popular NoScript Firefox extension

Go to chrome://net-internals/#hsts to check your HSTS settings in Google Chrome.

For a more secure web experience…

Categories: HSTS Tags: , , ,