Strict-Transport-Security Header

The Strict-Transport-Security (STS) header is a security feature implemented in modern web browsers that enforces the use of HTTPS on a website. If not configured correctly, it can leave your website vulnerable to man-in-the-middle attacks.

Introduction

The Strict-Transport-Security (STS) header is a security feature implemented in modern web browsers that enforces the use of HTTPS on a website. This header instructs the browser to automatically redirect all HTTP requests to HTTPS, even if the user enters an HTTP URL in the address bar. This helps prevent attackers from intercepting sensitive information transmitted over unsecured HTTP connections. However, if this header is not configured correctly, it can leave your website vulnerable to man-in-the-middle attacks. In this guide, we will explain how to fix the Strict-Transport-Security header vulnerability in your web application.

Step 1: Understand the Vulnerability

Before you can fix the Strict-Transport-Security vulnerability, it's important to understand how it works and why it's a problem. When a user visits a website for the first time, their browser will receive the STS header from the server, which will tell the browser to only connect to the site over HTTPS for a certain amount of time. This prevents the user from accidentally connecting to the site over an unsecured connection and keeps their data safe.

However, if the STS header is not configured correctly, an attacker can intercept the initial HTTP request from the user and remove the STS header. This allows the attacker to redirect the user to an HTTP version of the site, where they can potentially intercept sensitive information.

Step 2: Implement the Strict-Transport-Security Header

To fix the Strict-Transport-Security vulnerability, you need to implement the STS header correctly on your web server. The header should be added to the HTTP response for all pages on your site, including any subdomains.

The syntax for the STS header is as follows:

Strict-Transport-Security: max-age=<expire-time>; includeSubDomains

The max-age parameter specifies the amount of time (in seconds) that the browser should remember to only connect to the site over HTTPS. We recommend setting this to at least 31536000 seconds (1 year). The includeSubDomains parameter tells the browser to apply the same STS policy to all subdomains of the site.

Here is an example of how to add the STS header to an Apache web server using the .htaccess file:

<IfModule mod_headers.c> Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" </IfModule>

If you are using Nginx, you can add the following code to your server block:

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";

Step 3: Test the Strict-Transport-Security Header

After implementing the STS header, you should test your site to ensure that it is working correctly. You can do this by visiting your site in a web browser and checking the network tab of the browser's developer console. Look for the STS header in the response headers, and make sure that the max-age value is set correctly.

You can also use an online STS header testing tool to verify that your header is implemented correctly. One such tool is available at https://securityheaders.com/.

Step 4: Fix Mixed Content Issues

After implementing the STS header, you may encounter mixed content issues on your site. This occurs when your site's HTML includes resources (such as images, scripts, or stylesheets) that are loaded over HTTP instead of HTTPS. This can cause the browser to display security warnings to the user, which can reduce trust in your site.

To fix mixed content issues, you need to ensure that all resources on your site are loaded over HTTPS. This can be done by updating the URLs for these resources to use the HTTPS protocol. You may need to update links in your HTML, CSS, and JavaScript files, as well as any external libraries or APIs that your site uses.

One way to identify mixed content issues is to use the developer console in your web browser. Look for any warnings or errors related to insecure content, and update the URLs as needed. You can also use a tool like the SSL Check tool (https://www.sslshopper.com/ssl-checker.html) to identify any insecure resources on your site.

Step 5: Enable HTTP Strict Transport Security Preloading

Once you have implemented the STS header on your site, you can take additional steps to improve security by enabling HTTP Strict Transport Security (HSTS) preloading. HSTS preloading is a feature that allows browsers to automatically apply the STS policy to your site, even if the user has never visited your site before.

To enable HSTS preloading, you need to submit your site to the HSTS preload list. This is a list of domains that have been approved by browser vendors to have HSTS enabled by default. To be included on the list, your site must meet certain criteria, including:

  • Having a valid SSL certificate
  • Implementing the STS header with a max-age value of at least 31536000 seconds (1 year)
  • Not including any subdomains that do not support HTTPS

You can submit your site to the HSTS preload list by following the instructions on the following page: https://hstspreload.org/.

Conclusion

The Strict-Transport-Security header is an important security feature that helps protect your site from man-in-the-middle attacks. By implementing the header correctly, you can ensure that all traffic to your site is encrypted and secure. Additionally, by enabling HSTS preloading, you can further improve security by ensuring that browsers automatically apply the STS policy to your site. Remember to test your site after implementing the STS header, and to fix any mixed content issues that you encounter. With these steps, you can help ensure that your site is secure and trusted by users.

Achieve SOC2 Compliance

We make your startup SOC2 compliant by implementing and managing the required security controls for you.

Get Started

Latest Articles