HSTS and Protecting Websites from Man-In-The-Middle Attacks

HSTS and Protecting Websites from Man-In-The-Middle Attacks

Daily short news for you

  • Thank you to threads.net from Meta for being the inspiration behind this section on my blog. Initially, I was a bit skeptical about whether creating short posts like this would attract users, whether anyone would come back to read day after day, or if it would all just be like building sandcastles by the sea. As I have often mentioned, creating a feature is not difficult, but how to operate it effectively is what truly matters.

    Now, time has proven everything. The Short Posts section consistently ranks in the top 5 most visited pages of the day/week/month. This means that readers have developed a habit of returning more often. How can I be so sure? Because this section is almost completely unoptimized for SEO on search engines like Google.

    Let me take you back a bit. In the beginning, I was very diligent in posting on threads.net in the hope of attracting many followers, so that I could subtly introduce them to become users of my blog. However, as time went on, I increasingly felt "exhausted" because the Threads algorithm became less and less aligned with my direction. In other words, the content created was not popular.

    For example, my posts often lean towards sharing information, news, or personal experiences drawn from learning or doing something. It seems that such posts are not highly regarded and often get buried after just over... 100 views. Hmm... Could the problem be me? Knowing this, why not change the content to be more suitable for the platform?

    I have observed Threads, and the content that spreads the most easily often contains controversial elements or a prejudice about something, sometimes it’s simply stating something "naively" that they know will definitely get interactions. However, I almost do not like directing users towards this kind of content. People might call me stubborn, and I accept that. Everyone has different content directions and audiences; the choice is theirs.

    So, from then on, I mainly write here. Only occasionally, if I find something very interesting, do I go on Threads to "show off." Here, people still come to read daily; no matter who you are, I am sure that you can recognize the message I want to convey through each post. At the very least, we share a common direction regarding content. Sometimes, the scariest thing is not that no one reads what you write, but that they read it and then forget it in an instant. Quantity is important, but quality is what brings us closer together.

    Thank you all 🤓

    » Read more

  • Zed is probably the most user-centric developer community on the planet. Recently, they added an option to disable all AI features in Zed. While many others are looking to integrate deeper and do more with AI Agents. Truly a bold move 🤔

    You Can Now Disable All AI Features in Zed

    » Read more

  • Today I have tried to walk a full 8k steps in one session to show you all. As expected, the time spent walking reached over 1 hour and the distance was around 6km 🤓

    Oh, in a few days it will be the end of the month, which means it will also mark one month since I started the habit of walking every day with the goal of 8k steps. At the beginning of next month, I will summarize and see how it goes.

    » Read more

Issue

Protecting your website and its users from the dangers of the internet is always an important task. No one wants their website to be compromised or cause serious harm to its users.

Technical specifications, constantly updated in the form of RFC, aim to identify new rules to prevent or at least minimize potential concerns for your website and its users.

HSTS is one of the specifications that helps prevent website attacks through insecure website redirections. So, what exactly is HSTS and how does it work? Keep reading this article to find out.

What is HSTS?

HTTP Strict-Transport-Security (HSTS) tells browsers that a website should only be accessed over HTTPS and any future attempts to access it over HTTP should automatically switch to HTTPS. It might sound like a regular "redirect" from HTTP to HTTPS, but the difference is that with HSTS, your browser handles the redirection instead of the server.

Real-world Attack Scenarios

Real-world Attack Scenarios

If a website redirects from HTTP to HTTPS through server-side settings like Nginx, the initial HTTP request from the user will receive an unencrypted response before being redirected to HTTPS. For example, if you access http://2coffee.dev or even just 2coffee.dev, you will experience a delay while your browser waits for a response before redirecting to https://2coffee.dev. This creates an opportunity for a man-in-the-middle attack. The redirection behavior can be exploited to redirect users to a malicious website instead of the secure original version.

HSTS informs the browser never to load a website over HTTP and instead automatically convert all HTTP accesses to HTTPS.

Imagine you are using a free Wi-Fi hotspot and start browsing the web, accessing your online banking service to check your balance and pay a few bills. Unfortunately, the hotspot you are actually using is a hacker's laptop and they are intercepting your initial HTTP requests to redirect you to a fake banking website instead of the legitimate one. Now, your personal data is at risk of being exposed.

HSTS solves this problem. As long as you have accessed your banking website once using HTTPS and it utilizes HSTS, your browser will automatically use HTTPS, preventing the attacker from performing this man-in-the-middle behavior.

How it Works

When you first visit a website over HTTPS and it returns the Strict-Transport-Security header, your browser records this information so that future visits to the website over HTTP are replaced with HTTPS. 

strict-transport-security: max-age=15724800; includeSubDomains

When the expiration time (max-age) specified by Strict-Transport-Security ends, everything works as it did before HSTS was in place. However, whenever strict-transport-security is sent to the browser, it updates the expiration time for that website. So, if a user frequently visits the website, the max-age will be regularly extended. If HSTS needs to be turned off, simply set max-age=0.

Implementation

Implementation

Regardless of which web server you are using, the goal is to add the Strict-Transport-Security header to the response headers of the HTTP request.

For example, if you are using Nginx, open the Nginx configuration file and add the following line: 

server {
    listen 443 ssl;

    ...  

    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    ...

Check out: HTTP Strict Transport Security (HSTS) and NGINX.

The Chrome browser provides the website hstspreload.org where you can submit your website's address to be included in the HSTS preload list. If your website is on this list, even the first visit using HTTP will know that your website has HSTS enabled and will automatically apply the security rules.

Conclusion

HSTS is one of the efforts made by browsers to prevent attackers from targeting users of our websites. Through this article, I hope that everyone becomes aware of the presence of HSTS and can enhance the security of their websites.

Premium
Hello

The secret stack of Blog

As a developer, are you curious about the technology secrets or the technical debts of this blog? All secrets will be revealed in the article below. What are you waiting for, click now!

As a developer, are you curious about the technology secrets or the technical debts of this blog? All secrets will be revealed in the article below. What are you waiting for, click now!

View all

Subscribe to receive new article notifications

or
* The summary newsletter is sent every 1-2 weeks, cancel anytime.

Comments (0)

Leave a comment...