Photo by Sai Kiran Anagani on Unsplash

How to implement the HSTS protocol for your website the right way?

In the previous article, we discussed about HSTS protocol and its benefits. We strongly recommend you read it before you proceed.

Now that you understand and appreciate the usefulness of HSTS, in this post we will talk about the implementation of HSTS protocol in your websites and your APIs.

To refresh our memory, the definition of HSTS is as follows:

As per the rfc documentation of HSTS, the syntax of the header is

Strict-Transport-Security: max-age=<expire-time>
Strict-Transport-Security: max-age=<expire-time>; includeSubDomains

: The time, in seconds, that the browser should remember that a site is only to be accessed using HTTPS.
: If this optional parameter is specified, this rule applies to all of the site’s subdomains as well.

Example

Here is an example of configuring HSTS in NGINX and NGINX Plus
Just add the below line in nginx configuration file and you will be good to go

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

A sample config file should look like this

server {
listen 443 ssl;

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

# This 'location' block inherits the STS header
location / {
root /usr/share/nginx/html;
}

# Because this 'location' block contains another 'add_header' directive,
# we must redeclare the STS header
location /servlet {
add_header X-Served-By "My Servlet Handler";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
proxy_pass http://localhost:8080;
}
}

Although we have configured HSTS correctly, there is still one problem.

The Problem

If you recollect from our previous article, we had pointed out that the first time that you access the website, you are not protected by HSTS.

While this is certainly an edge case, but is apparent enough that it cannot be ignored (Isn’t security all about handling the edge cases, and hence will remain an unsolved problem😑. We feel for you CISOs/CTOs).

A Solution

To counter this, Google came up with an HSTS preload service.

This project maintains a list of websites that use HSTS and the list is distributed with browsers. If you add your website to the preload list, the browser first checks the internal list and so your website is never accessed via HTTP, not even during the first connection attempt.

Most major browsers (Chrome, Firefox, Opera, Safari, IE 11 and Edge) also have HSTS preload lists based on the Chrome list.

The Syntax for a preloaded website look like
Strict-Transport-Security: max-age=<expire-time>; preload

The preload list is not accessed or downloaded by the browser rather is distributed as a hard-coded resource with new browser versions. This means that it can take long time for your domain to come up on the list as well as a long time to get off the list. Before proceeding to add your website to the list, make sure will be able to maintain full HTTPS access to all resources for a long time. If not, you risk that your website will become completely inaccessible.

We at SecOps Solution are constantly working to improve web and API security of organisations.

Identifying top 1% Vulnerabilities in enterprise tech stack