HTTP Strict Transport Security (HSTS)? HSTS Preload List? Are they appearing as new words? Not exactly, it is a thing which the major three browsers is trying to implement, there are related works since 2012. In this article, we have discussed the theoretical aspect of HTTP Strict Transport Security (HSTS) and will explain what is HSTS Preload List. In the upcoming articles, we will show you, how to properly configure your server for making it eligible to be included in the HSTS Preload List.
What is HTTP Strict Transport Security (HSTS) and What is HSTS Preload List?
Google Chrome maintains the HSTS preload list and other browsers including Firefox and Safari uses the same list. So, if we can pass the test, we actually getting included in the list for the three browsers.
WordPress is the most commonly used CMS/Blogging software, Ubuntu probably is used most commonly for the cloud servers and Ngnix becoming most popular web server software. So, our guides will be oriented towards server side configuration for these setups. We need to know the theory first.
HTTP Strict Transport Security (HSTS) is defined by IEEE (and copied by Wikipedia) as a web security policy by which a web server declares compatible user agents (like a web browser ) that must interact with them only connections through HTTP Secure / HTTPS protocol. HSTS is a standards protocol and is specified in RFC 6797. HSTS policy is communicated by the server to the user agent through a HTTP response header called “Strict-Transport-Security”. The HSTS policy specifies a period of time during which the user agent must only access the server safely. This website uses HTTP Strict Transport Security (HSTS). It can be easily tested with cURL in OS X or GNU Linux or Microsoft Windows ( Read cURL for Microsoft Windows) :
1 2 3 | curl -s -D- https://thecustomizewindows.com | grep Strict # bigger full header curl -I https://thecustomizewindows.com |
Here is an animated presentation :
Here is the cURL header and the test as simple screenshot :
Advertisement ---
Actually after passing, you need to submit here :
1 | https://hstspreload.appspot.com |
After a successful submission, you will see response like this screenshot :
The HSTS specification was published as RFC 6797 on November 19, 2012 after being approved on October 2, 2012 as a Proposed Standard. HSTS specification is based on original work of Jackson and Barth. When the HSTS policy is active for a website, compatible user agent automatically replaces all the unsafe by secure links before accessing the server. What is basically why the word Preload is appended. It will be invalid with a self-signed certificate. Actually it is for prevention of man-in-the-middle attack.
Browsers that support HSTS :
Google Chrome and Chromium from 4.0.211.0 release.
Firefox since August 25, 2010
Opera 12
Newer Safari
Internet Explorer does not support HSTS (as can be expected! Worse – on Win XP plus IE 6 the basic fails)
We can implement HSTS on Nginx, Apache, Lighttpd or via Programing Language like PHP, Perl, Ruby on Rails, JSP, CFML. Theoretical details can be found here :
1 | http://chimera.labs.oreilly.com/books/1230000000545/ch04.html#ALPN |
Implementation on Apache2
1 2 3 | Header set Strict-Transport-Security "max-age=500" Header append Strict-Transport-Security includeSubDomains # preload not shown |
Implementation on Lighttpd
1 2 3 4 5 | server.modules += ( "mod_setenv" ) $HTTP["scheme"] == "https" { setenv.add-response-header = ( "Strict-Transport-Security" => "max-age=31536000") } # preload not shown |
Implementation on Nginx
1 2 | add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload'; # yeah with preload |
Implementation with PHP
1 2 3 4 5 6 7 8 9 10 | $use_sts = true; if ($use_sts) { if (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off') { header('Strict-Transport-Security: max-age=500'); } else { header('Status-Code: 301'); header('Location: https://'.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']); exit; } } |
We gave some basic examples. So – HSTS, HSTS preload and HSTS preload list are actually different things, if you are not very much techie person. The list, as it means; is a list. HSTS is a defined thing. You can see here for the list part :
1 2 | https://wiki.mozilla.org/Privacy/Features/HSTS_Preload_List https://blog.mozilla.org/security/2012/11/01/preloading-hsts/ |
