HSTS and Protecting Websites from Man-In-The-Middle Attacks

HSTS and Protecting Websites from Man-In-The-Middle Attacks

Daily short news for you
  • Hic, I've been really busy lately, and there have been so many changes that I haven't had time to write a longer post. Instead, I'm trying to maintain this short daily update for readers. Since it's short, it's much quicker to write.

    I'm currently tweaking the interface a bit while also adding a new feature. Can you guess what it is? Here's a hint: it has something to do with AI and Tiktok 😁

    » Read more
  • Currently on the 14-day trial of Windsurf, today is day seven, and I have some quick impressions as follows:

    First, the interface is a bit more customizable, giving a flatter and friendlier feel compared to the traditional VSCode.

    Second, the suggestions are super fast but a bit hasty. They’re not always accurate, yet they confidently offer several lines at once. So, not every tab tab is correct. However, it reads context well, better than Copilot.

    Third, the Chat/Edit feature is top-notch, very good, almost a perfect understanding, probably on par with Cursor, but I’m not entirely sure; that's just how it feels.

    Additionally, one annoyance is that sometimes it suggests but the tab doesn’t match, which makes it a hassle to delete.

    I wonder how it will be after the 14 days, so I will continue to update. But overall, it’s way better than Copilot.

    Oh! One more thing, the Vietnamese in this one is terrible. I have no idea why!?

    » Read more
  • smee.io is a simple way to create a webhook address and map it to the localhost address on your computer.

    $ npm install --global smee-client $ smee -u https://smee.io/eu4UoW8vrKSZtTB

    » Read more

Issue

Protecting your website and its users from the dangers of the internet is always an important task. No one wants their website to be compromised or cause serious harm to its users.

Technical specifications, constantly updated in the form of RFC, aim to identify new rules to prevent or at least minimize potential concerns for your website and its users.

HSTS is one of the specifications that helps prevent website attacks through insecure website redirections. So, what exactly is HSTS and how does it work? Keep reading this article to find out.

What is HSTS?

HTTP Strict-Transport-Security (HSTS) tells browsers that a website should only be accessed over HTTPS and any future attempts to access it over HTTP should automatically switch to HTTPS. It might sound like a regular "redirect" from HTTP to HTTPS, but the difference is that with HSTS, your browser handles the redirection instead of the server.

Real-world Attack Scenarios

Real-world Attack Scenarios

If a website redirects from HTTP to HTTPS through server-side settings like Nginx, the initial HTTP request from the user will receive an unencrypted response before being redirected to HTTPS. For example, if you access http://2coffee.dev or even just 2coffee.dev, you will experience a delay while your browser waits for a response before redirecting to https://2coffee.dev. This creates an opportunity for a man-in-the-middle attack. The redirection behavior can be exploited to redirect users to a malicious website instead of the secure original version.

HSTS informs the browser never to load a website over HTTP and instead automatically convert all HTTP accesses to HTTPS.

Imagine you are using a free Wi-Fi hotspot and start browsing the web, accessing your online banking service to check your balance and pay a few bills. Unfortunately, the hotspot you are actually using is a hacker's laptop and they are intercepting your initial HTTP requests to redirect you to a fake banking website instead of the legitimate one. Now, your personal data is at risk of being exposed.

HSTS solves this problem. As long as you have accessed your banking website once using HTTPS and it utilizes HSTS, your browser will automatically use HTTPS, preventing the attacker from performing this man-in-the-middle behavior.

How it Works

When you first visit a website over HTTPS and it returns the Strict-Transport-Security header, your browser records this information so that future visits to the website over HTTP are replaced with HTTPS.

strict-transport-security: max-age=15724800; includeSubDomains

When the expiration time (max-age) specified by Strict-Transport-Security ends, everything works as it did before HSTS was in place. However, whenever strict-transport-security is sent to the browser, it updates the expiration time for that website. So, if a user frequently visits the website, the max-age will be regularly extended. If HSTS needs to be turned off, simply set max-age=0.

Implementation

Implementation

Regardless of which web server you are using, the goal is to add the Strict-Transport-Security header to the response headers of the HTTP request.

For example, if you are using Nginx, open the Nginx configuration file and add the following line:

server {
    listen 443 ssl;

    ...  

    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    ...  

Check out: HTTP Strict Transport Security (HSTS) and NGINX.

The Chrome browser provides the website hstspreload.org where you can submit your website's address to be included in the HSTS preload list. If your website is on this list, even the first visit using HTTP will know that your website has HSTS enabled and will automatically apply the security rules.

Conclusion

HSTS is one of the efforts made by browsers to prevent attackers from targeting users of our websites. Through this article, I hope that everyone becomes aware of the presence of HSTS and can enhance the security of their websites.

Premium
Hello

The secret stack of Blog

As a developer, are you curious about the technology secrets or the technical debts of this blog? All secrets will be revealed in the article below. What are you waiting for, click now!

As a developer, are you curious about the technology secrets or the technical debts of this blog? All secrets will be revealed in the article below. What are you waiting for, click now!

View all

Subscribe to receive new article notifications

or
* The summary newsletter is sent every 1-2 weeks, cancel anytime.
Author

Hello, my name is Hoai - a developer who tells stories through writing ✍️ and creating products 🚀. With many years of programming experience, I have contributed to various products that bring value to users at my workplace as well as to myself. My hobbies include reading, writing, and researching... I created this blog with the mission of delivering quality articles to the readers of 2coffee.dev.Follow me through these channels LinkedIn, Facebook, Instagram, Telegram.

Did you find this article helpful?
NoYes

Comments (0)

Leave a comment...