HSTS and Protecting Websites from Man-In-The-Middle Attacks

HSTS and Protecting Websites from Man-In-The-Middle Attacks

Daily short news for you
  • Not to be outdone, Google recently introduced Gemini CLI - a type of AI agent similar to Codex or Claude Code.

    What’s notable is that they offer up to... 1000 queries for free each day. That’s quite a lot. Additionally, they have open-sourced this project to ensure transparency, learning, and research 🤓

    » Read more
  • There’s another tool to help quickly search command history: atuinsh/atuin.

    What’s interesting is that it uses SQLite for storage. It also provides the feature of completely synchronizing (encrypting) history between machines. How cool is that 🤓

    » Read more
  • I am really impressed with the gemma-3n-E4B model from Google. This is one of the promising models that aims to bring large language models to run on mobile devices or the web or embedded...

    It feels like it understands the prompts better, because I’ve tried many low-parameter models that often overlook my prompts. For example, when I say, "Just return the answer, no need for further explanation," many still tend to add introductory phrases or explanations... but with gemma-3n, the responses are very much to the point.

    » Read more

Issue

Protecting your website and its users from the dangers of the internet is always an important task. No one wants their website to be compromised or cause serious harm to its users.

Technical specifications, constantly updated in the form of RFC, aim to identify new rules to prevent or at least minimize potential concerns for your website and its users.

HSTS is one of the specifications that helps prevent website attacks through insecure website redirections. So, what exactly is HSTS and how does it work? Keep reading this article to find out.

What is HSTS?

HTTP Strict-Transport-Security (HSTS) tells browsers that a website should only be accessed over HTTPS and any future attempts to access it over HTTP should automatically switch to HTTPS. It might sound like a regular "redirect" from HTTP to HTTPS, but the difference is that with HSTS, your browser handles the redirection instead of the server.

Real-world Attack Scenarios

Real-world Attack Scenarios

If a website redirects from HTTP to HTTPS through server-side settings like Nginx, the initial HTTP request from the user will receive an unencrypted response before being redirected to HTTPS. For example, if you access http://2coffee.dev or even just 2coffee.dev, you will experience a delay while your browser waits for a response before redirecting to https://2coffee.dev. This creates an opportunity for a man-in-the-middle attack. The redirection behavior can be exploited to redirect users to a malicious website instead of the secure original version.

HSTS informs the browser never to load a website over HTTP and instead automatically convert all HTTP accesses to HTTPS.

Imagine you are using a free Wi-Fi hotspot and start browsing the web, accessing your online banking service to check your balance and pay a few bills. Unfortunately, the hotspot you are actually using is a hacker's laptop and they are intercepting your initial HTTP requests to redirect you to a fake banking website instead of the legitimate one. Now, your personal data is at risk of being exposed.

HSTS solves this problem. As long as you have accessed your banking website once using HTTPS and it utilizes HSTS, your browser will automatically use HTTPS, preventing the attacker from performing this man-in-the-middle behavior.

How it Works

When you first visit a website over HTTPS and it returns the Strict-Transport-Security header, your browser records this information so that future visits to the website over HTTP are replaced with HTTPS.

strict-transport-security: max-age=15724800; includeSubDomains

When the expiration time (max-age) specified by Strict-Transport-Security ends, everything works as it did before HSTS was in place. However, whenever strict-transport-security is sent to the browser, it updates the expiration time for that website. So, if a user frequently visits the website, the max-age will be regularly extended. If HSTS needs to be turned off, simply set max-age=0.

Implementation

Implementation

Regardless of which web server you are using, the goal is to add the Strict-Transport-Security header to the response headers of the HTTP request.

For example, if you are using Nginx, open the Nginx configuration file and add the following line:

server {
    listen 443 ssl;

    ...  

    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    ...  

Check out: HTTP Strict Transport Security (HSTS) and NGINX.

The Chrome browser provides the website hstspreload.org where you can submit your website's address to be included in the HSTS preload list. If your website is on this list, even the first visit using HTTP will know that your website has HSTS enabled and will automatically apply the security rules.

Conclusion

HSTS is one of the efforts made by browsers to prevent attackers from targeting users of our websites. Through this article, I hope that everyone becomes aware of the presence of HSTS and can enhance the security of their websites.

Premium
Hello

Me & the desire to "play with words"

Have you tried writing? And then failed or not satisfied? At 2coffee.dev we have had a hard time with writing. Don't be discouraged, because now we have a way to help you. Click to become a member now!

Have you tried writing? And then failed or not satisfied? At 2coffee.dev we have had a hard time with writing. Don't be discouraged, because now we have a way to help you. Click to become a member now!

View all

Subscribe to receive new article notifications

or
* The summary newsletter is sent every 1-2 weeks, cancel anytime.

Comments (0)

Leave a comment...