Photo by FLY:D on Unsplash

HTTPS is not enough — Enable this protocol to secure communication

Using an HTTPS protocol is considered to be the best practice to secure communication over a network. But is this really effective? Turns out the answer is NO!

Why is HTTPS alone ineffective?

  • The bidirectional encryption of communications
  • Protect against man-in-the-middle attacks
  • Prevent eavesdropping and tampering of the communication

Unfortunately, the protocol was sound but a man-in-the-middle attack was possible by SSL stripping. In SSL stripping, an attacker forces the browser to connect to a website using HTTP to modify and intercept the communication.

As you must have guessed, the problem doesn’t lie with the HTTPS protocol but the way it is configured, allowing the websites to accept HTTP connections too.

HSTS to the rescue 🎉

HTTP Strict Transport Security (HSTS) is a mechanism that allows web servers to declare that web browsers should automatically interact with it using only HTTPS connections

How does it work?

Strict-Transport-Security: max-age=31536000

The Strict-Transport-Security header (we’ll talk about configuring this header in the next article) gives instructions to the browser to connect using HTTPS only for the duration of one year (31536000 seconds).

It serves two purposes :

  • HTTP connections are not allowed at all. If the browser receives a request to load a resource using HTTP, it must try an HTTPS request instead.
  • If HTTPS is not available, the connection must be terminated. If the certificate is not valid, you will be prevented from making a connection.

Is HSTS the ultimate security protocol?

The first time that you access the website on an HTTP protocol, you are not protected by HSTS because the browser waits for the initial redirect response and only then accepts the HSTS header from the webserver.

You should also know that the HSTS max-age is refreshed every time your browser reads the header and the maximum value is two years only.

But there is a way to overcome these hurdles. In the next article, we talk about how to configure HSTS for your website and workaround for the above issues.

Identifying top 1% Vulnerabilities in enterprise tech stack