HSTS and Protecting Websites from Man-In-The-Middle Attacks

HSTS and Protecting Websites from Man-In-The-Middle Attacks

Daily short news for you
  • For a long time, I have been thinking about how to increase brand presence, as well as users for the blog. After much contemplation, it seems the only way is to share on social media or hope they seek it out, until...

    Wearing this shirt means no more worries about traffic jams, the more crowded it gets, the more fun it is because hundreds of eyes are watching 🤓

    (It really works, you know 🤭)

    » Read more
  • A cycle of developing many projects is quite interesting. Summarized in 3 steps: See something complex -> Simplify it -> Add features until it becomes complex again... -> Back to a new loop.

    Why is that? Let me give you 2 examples to illustrate.

    Markdown was created with the aim of producing a plain text format that is "easy to write, easy to read, and easy to convert into something like HTML." At that time, no one had the patience to sit and write while also adding formatting for how the text displayed on the web. Yet now, people are "stuffing" or creating variations based on markdown to add so many new formats that… they can’t even remember all the syntax.

    React is also an example. Since the time of PHP, there has been a desire to create something that clearly separates the user interface from the core logic processing of applications into two distinct parts for better readability and writing. The result is that UI/UX libraries have developed very robustly, providing excellent user interaction, while the application logic resides on a separate server. The duo of Front-end and Back-end emerged from this, with the indispensable REST API waiter. Yet now, React doesn’t look much different from PHP, leading to Vue, Svelte... all converging back to a single point.

    However, the loop is not bad; on the contrary, this loop is more about evolution than "regression." Sometimes, it creates something good from something old, and people rely on that goodness to continue the loop. In other words, it’s about distilling the essence little by little 😁

    » Read more
  • Alongside the official projects, I occasionally see "side" projects aimed at optimizing or improving the language in some aspects. For example, nature-lang/nature is a project focused on enhancing Go, introducing some changes to make using Go more user-friendly.

    Looking back, it resembles JavaScript quite a bit 😆

    » Read more

Issue

Protecting your website and its users from the dangers of the internet is always an important task. No one wants their website to be compromised or cause serious harm to its users.

Technical specifications, constantly updated in the form of RFC, aim to identify new rules to prevent or at least minimize potential concerns for your website and its users.

HSTS is one of the specifications that helps prevent website attacks through insecure website redirections. So, what exactly is HSTS and how does it work? Keep reading this article to find out.

What is HSTS?

HTTP Strict-Transport-Security (HSTS) tells browsers that a website should only be accessed over HTTPS and any future attempts to access it over HTTP should automatically switch to HTTPS. It might sound like a regular "redirect" from HTTP to HTTPS, but the difference is that with HSTS, your browser handles the redirection instead of the server.

Real-world Attack Scenarios

Real-world Attack Scenarios

If a website redirects from HTTP to HTTPS through server-side settings like Nginx, the initial HTTP request from the user will receive an unencrypted response before being redirected to HTTPS. For example, if you access http://2coffee.dev or even just 2coffee.dev, you will experience a delay while your browser waits for a response before redirecting to https://2coffee.dev. This creates an opportunity for a man-in-the-middle attack. The redirection behavior can be exploited to redirect users to a malicious website instead of the secure original version.

HSTS informs the browser never to load a website over HTTP and instead automatically convert all HTTP accesses to HTTPS.

Imagine you are using a free Wi-Fi hotspot and start browsing the web, accessing your online banking service to check your balance and pay a few bills. Unfortunately, the hotspot you are actually using is a hacker's laptop and they are intercepting your initial HTTP requests to redirect you to a fake banking website instead of the legitimate one. Now, your personal data is at risk of being exposed.

HSTS solves this problem. As long as you have accessed your banking website once using HTTPS and it utilizes HSTS, your browser will automatically use HTTPS, preventing the attacker from performing this man-in-the-middle behavior.

How it Works

When you first visit a website over HTTPS and it returns the Strict-Transport-Security header, your browser records this information so that future visits to the website over HTTP are replaced with HTTPS.

strict-transport-security: max-age=15724800; includeSubDomains

When the expiration time (max-age) specified by Strict-Transport-Security ends, everything works as it did before HSTS was in place. However, whenever strict-transport-security is sent to the browser, it updates the expiration time for that website. So, if a user frequently visits the website, the max-age will be regularly extended. If HSTS needs to be turned off, simply set max-age=0.

Implementation

Implementation

Regardless of which web server you are using, the goal is to add the Strict-Transport-Security header to the response headers of the HTTP request.

For example, if you are using Nginx, open the Nginx configuration file and add the following line:

server {
    listen 443 ssl;

    ...  

    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    ...  

Check out: HTTP Strict Transport Security (HSTS) and NGINX.

The Chrome browser provides the website hstspreload.org where you can submit your website's address to be included in the HSTS preload list. If your website is on this list, even the first visit using HTTP will know that your website has HSTS enabled and will automatically apply the security rules.

Conclusion

HSTS is one of the efforts made by browsers to prevent attackers from targeting users of our websites. Through this article, I hope that everyone becomes aware of the presence of HSTS and can enhance the security of their websites.

Premium
Hello

Me & the desire to "play with words"

Have you tried writing? And then failed or not satisfied? At 2coffee.dev we have had a hard time with writing. Don't be discouraged, because now we have a way to help you. Click to become a member now!

Have you tried writing? And then failed or not satisfied? At 2coffee.dev we have had a hard time with writing. Don't be discouraged, because now we have a way to help you. Click to become a member now!

View all

Subscribe to receive new article notifications

or
* The summary newsletter is sent every 1-2 weeks, cancel anytime.

Comments (0)

Leave a comment...