HSTS (HTTP Strict Transport Security) is a security mechanism that was developed to protect HTTPS connections from man-in-the-middle attacks and session hijacking. With the HTTPS extension, website operators can signal web browsers through optional HTTP header information that allows a site to be retrieved in encrypted SSL/TLS encrypted form for a defined period of time. On the server side, the header field Strict-Transport-Security is used. This contains the obligatory directive max-age and can be expanded with the optional directives includeSubDomains and preload:
Strict-Transport-Security: max-age=31536000
The directive max-age indicates for how long a website should exclusively be available in an encrypted form. This period of time is defined in seconds. A max-age of 31,536,000 seconds means a period of one year.
When an internet user visits an HSTS-secured website for the first time, the browser obtains the following directives from the Strict-Transport-Security header field:
- All unencrypted links to the respective website must be overwritten with encrypted links (http:// to https://).
- If the security of the connection can’t be guaranteed (e.g. on the basis of invalid certificates), then it must be terminated. The user is shown an error message.
Optionally, HSTS data can be extended to subdomains. In this case, the header field Strict-Transport-Security is supplemented with the directive includeSubDomains. This signals to the browser that the HSTS header is not only intended for the current host (e.g. www.example.com), but also for all subdomains under the specified domain (e.g. also for blog.example.com or adserver.example.com).
Strict-Transport-Security: max-age=31536000; includeSubDomains
The directive preload allows the website to be marked for so-called preloading, and so avoid the “first visit problem”.
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Without the preload parameter, HSTS only affects future webpage visits: If a browser knows the information in the HSTS header of a website, then future access is implemented accordingly. Otherwise, the security measure doesn’t work when the site is accessed for the first time. Browser developers like Google and Mozilla also offer the option to enter websites into preload lists. Websites that have been registered for preloading are exclusively accessed over HTTPS. Preload lists are managed centrally by browser developers and transmitted to user browsers through updates.