HSTS and Protecting Websites from Man-In-The-Middle Attacks

Issue

Protecting your website and its users from the dangers of the internet is always an important task. No one wants their website to be compromised or cause serious harm to its users.

Technical specifications, constantly updated in the form of RFC, aim to identify new rules to prevent or at least minimize potential concerns for your website and its users.

HSTS is one of the specifications that helps prevent website attacks through insecure website redirections. So, what exactly is HSTS and how does it work? Keep reading this article to find out.

What is HSTS?

HTTP Strict-Transport-Security (HSTS) tells browsers that a website should only be accessed over HTTPS and any future attempts to access it over HTTP should automatically switch to HTTPS. It might sound like a regular "redirect" from HTTP to HTTPS, but the difference is that with HSTS, your browser handles the redirection instead of the server.

Real-world Attack Scenarios

If a website redirects from HTTP to HTTPS through server-side settings like Nginx, the initial HTTP request from the user will receive an unencrypted response before being redirected to HTTPS. For example, if you access http://2coffee.dev or even just 2coffee.dev, you will experience a delay while your browser waits for a response before redirecting to https://2coffee.dev. This creates an opportunity for a man-in-the-middle attack. The redirection behavior can be exploited to redirect users to a malicious website instead of the secure original version.

HSTS informs the browser never to load a website over HTTP and instead automatically convert all HTTP accesses to HTTPS.

Imagine you are using a free Wi-Fi hotspot and start browsing the web, accessing your online banking service to check your balance and pay a few bills. Unfortunately, the hotspot you are actually using is a hacker's laptop and they are intercepting your initial HTTP requests to redirect you to a fake banking website instead of the legitimate one. Now, your personal data is at risk of being exposed.

HSTS solves this problem. As long as you have accessed your banking website once using HTTPS and it utilizes HSTS, your browser will automatically use HTTPS, preventing the attacker from performing this man-in-the-middle behavior.

How it Works

When you first visit a website over HTTPS and it returns the Strict-Transport-Security header, your browser records this information so that future visits to the website over HTTP are replaced with HTTPS.

strict-transport-security: max-age=15724800; includeSubDomains

When the expiration time (max-age) specified by Strict-Transport-Security ends, everything works as it did before HSTS was in place. However, whenever strict-transport-security is sent to the browser, it updates the expiration time for that website. So, if a user frequently visits the website, the max-age will be regularly extended. If HSTS needs to be turned off, simply set max-age=0.

Implementation

Regardless of which web server you are using, the goal is to add the Strict-Transport-Security header to the response headers of the HTTP request.

For example, if you are using Nginx, open the Nginx configuration file and add the following line:

server {
    listen 443 ssl;

    ...  

    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    ...  

Check out: HTTP Strict Transport Security (HSTS) and NGINX.

The Chrome browser provides the website hstspreload.org where you can submit your website's address to be included in the HSTS preload list. If your website is on this list, even the first visit using HTTP will know that your website has HSTS enabled and will automatically apply the security rules.

Conclusion

HSTS is one of the efforts made by browsers to prevent attackers from targeting users of our websites. Through this article, I hope that everyone becomes aware of the presence of HSTS and can enhance the security of their websites.