HSTS (HTTP Strict Transport Security)

1. What is HSTS?

HSTS (HTTP Strict Transport Security) is a web security mechanism in which a web server instructs the browser to allow only HTTPS connections for a specific domain. This helps prevent MITM (man-in-the-middle) attacks and protocol downgrade attacks. It is considered an essential security measure for services handling finance, e-commerce, and personal data.

---

2. How HSTS Works

The server sends a security policy to the client by including the Strict-Transport-Security header.

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

---

3. HSTS Header Options

• max-age: The duration for which the policy is valid (in seconds).
• includeSubDomains: Applies the HSTS policy to all subdomains.
• preload: Requests that the domain be added to the browser’s HSTS preload list.

Once the browser receives the HSTS policy, it will force HTTPS connections for the specified domain for the duration indicated (e.g., 31,536,000 seconds).

---

4. Advantages

• Prevents MITM attacks: By enforcing HTTPS, it blocks potential MITM attacks.
• Prevents protocol downgrade attacks: Ensures that connections do not fall back to insecure HTTP.

---

5. Precautions

• Misconfiguration Risks: Incorrect HSTS settings can make service recovery difficult.
• SSL/TLS Management: Proper configuration of HTTPS and timely management of SSL certificates are essential.

---

6. HSTS Preload List

The HSTS Preload List is a list built into major browsers (Chrome, Firefox, Edge, Safari, etc.) that enforces HTTPS connections for domains that are registered on the list.

• You can submit your domain for inclusion at the HSTS Preload website.
• Once approved, the domain will be added to the browser’s preload list when the browser is updated.
• Even if a user tries to access the domain via HTTP, the browser will automatically redirect the request to HTTPS.

Benefits of the Preload List

• Enhanced Security: Browsers enforce HTTPS from the first request, preventing MITM attacks.
• No Initial HTTP Request: Direct connection via HTTPS reduces the chance of insecure communication.
• Compliance with Modern Security Policies: Ensures that domains meet current security standards.

Registration Requirements for the Preload List

• All domains and subdomains must have a valid SSL/TLS certificate.
• The Strict-Transport-Security header must include both the includeSubDomains and preload options.
• The domain must be submitted and registered via hstspreload.org.

Registration Requirements for the Preload List

• All domains and subdomains must have a valid SSL/TLS certificate.
• The Strict-Transport-Security header must include both the includeSubDomains and preload options.
• The domain must be submitted and registered via hstspreload.org.

Registration and Implementation Process

1. Site Verification

• Ensure that all HTTPS configurations are correctly set up.
• Verify that the Strict-Transport-Security header contains the required values.

2. Submission

• Enter your domain name at hstspreload.org and submit a registration request.

3. Review

• The system automatically validates your HSTS configuration.
• If errors are detected, the request will be rejected. You must resolve any issues before reapplying.

4. List Inclusion

• Once approved, your domain is added to the preload list embedded in the browser source code.

5. Browser Update

• The updated preload list is distributed with browser updates.
• It may take several weeks to months for the changes to propagate to all users.

Because the HSTS Preload List is hard-coded into the browser source code, a new domain’s HSTS policy will not take effect until the browser is updated.

For example, in Chromium-based browsers, the preload list is directly included in the source code. Therefore, adding a new domain requires both an update of the browser source code and that users update their browsers.

To add your domain to the preload list, visit hstspreload.org and submit your registration request. Note that even after approval, it might take time for the changes to reach all users.

Chrome Specifics

• Source Code Path:

src/net/http/transport_security_state_static.json

• GitHub Link: Chromium HSTS Preload List

Browsers such as Firefox, Safari, Opera, and Edge also use Chrome’s HSTS preload list.