My Website has HTTPS implemented. Should i really worry about implementing HSTS.

Content:

• Introduction
• What is HTTPS ?
• How HTTP Strict transport security works ?
• Importance of HSTS?
• How to check my website has implemented HSTS ?
• How to implement HSTS ?
• Conclusion

Introduction:

If an attacker reaches http://www.example.com/ or even just example.com and the site creates a connection through HTTP and then redirects to HTTPS, the attacker may attempt to load the site in HTTP first before being diverted even if you have a HTTPS implemented. This opens the door to a man-in-the-middle attack.The HTTP Strict Transport Security header tells the browser that it should never access a site using HTTP and that all redirection to the site using HTTP should be changed to HTTPS requests by default. Let's have a look at some samples and a brief explanation.

What is HTTPS?

• HTTPS (hypertext transfer protocol secure) is a secure variant of HTTP, the most widely used protocol for exchanging data between a web browser and a website. 
• To strengthen the security of data transport, HTTPS is encrypted.
• This is particularly important when users submit sensitive data over the internet, such as when logging into a bank account, email service, or health insurance provider.

• Any website, especially those that require login credentials, should use HTTPS.
• In modern web browsers such as Chrome, websites that do not use HTTPS are marked differently than those that are a green lock in the URL bar indicates that the webpage is secure.
• Online browsers take HTTPS seriously, with Google Chrome and other browsers warning non-HTTPS websites as insecure.

How HTTP Strict Transport Security Works ?

As most people don't specify the protocol in URLs typed into the address bar, if you type www.example.com (or just briskinfosec.com) into the address bar, the browser will use the default HTTP protocol and send an HTTP request to http://www.example.com.

Because the Briskinfosec site enforces HTTPS-only communication with HSTS, it responds with a 301 response code and the Strict-Transport-Security response header to indicate that only the HTTPS version of the site will be delivered.

The Strict-Transport-Security the header can specify three directives:

• The only necessary directive is max-age, which specifies how long the browser should remember that the site is only accessible via HTTPS. Because the maximum age is expressed in seconds, common expiry durations of 1 or 2 years amount to 31536000 or 63072000, respectively. If max-age is set to 0, the browser will forget about the site and handle it as if it were a new one the next time it connects.
• include subdomains is an optional parameter that specifies if HTTPS is required for all subdomains of the given domain. The include subdomains directive should be included in the HTTPS redirect with the Strict-Transport-Security header for optimal security, and the base domain (e.g. briskinfosec.com) should be referenced so that all of its subdomains (particularly the www subdomain) are covered by HSTS.

Importance of HSTS ?

The acronym HSTS stands for HTTP Strict Transport Security. It's a way for websites to say that they should only be accessed through a secure connection (HTTPS). The browser must reject all HTTP connections and prevent users from accepting unsafe SSL certificates if a website sets a HSTS policy. The majority of major browsers now support HSTS (only some mobile browsers fail to use it).

In 2012, RFC 6797 defined HTTP Strict Transport Security as a web security standard. The major purpose of this standard was to help against SSL stripping-based man-in-the-middle (MITM) attacks. SSL stripping is a technique in which an attacker forces a browser to connect to a site through HTTP in order to sniff packets and intercept or change sensitive data. HSTS is also a useful tool for preventing cookie hijacking.

How to check my website has implemented HSTS?

There are a couple easy ways to check if the HSTS is working on your Website. One of this you can launch Google Chrome Devtools, click into the “Network” tab and look at the headers tab.

How to implement HSTS ?

HSTS Installation for Apache Web Server

You can add this to your .htaccess file at the top level document root folder such as public_html or httpdoc 

 # Use HTTP Strict Transport Security to force client to use secure connections only Header always set Strict-Transport-Security "max-age=300; includeSubDomains; preload"

HSTS Installation for lighttpd 

Add this to your Lighttpd configuration file /etc/lighttpd/lighttpd.conf 

server.modules += ( "mod_setenv" ) $HTTP["scheme"] == "https" { setenv.add-response-header = ("Strict-Transport-Security" => "max-age=300; includeSubDomains; preload") }

HSTS Installation for NGINX 

protected void Application_BeginRequest(Object sender, EventArgs e) { switch (Request.Url.Scheme) { case "https": Response.AddHeader("Strict-Transport-Security", "max-age=31536000; includeSubDomains; preload"); break; case "http": var path = "https://"

+ Request.Url.Host + Request.Url.PathAndQuery; Response.Status = "301 Moved Permanently"; Response.AddHeader("Location", path); break; } }

HSTS Installation for NGINX 

Add this to your ngnix configuration file site.conf 

add_header Strict-Transport-Security 'max-age=300; includeSubDomains; preload; always;'

Conclusion:

We strongly recommend using HSTS for all Internet-facing web applications because it protects against a wide range of attacks, is widely supported by browsers, and can be setup with a single-line configuration. And, whatever of the technologies you choose, we recommend introducing safe coding techniques and HSTS awareness early in the development lifecycle, and ensuring that your developers consider security from the start.