HTTP Strict Transport Security (HSTS) is a helpful way to make web connections safer. It works by making sure that when you visit a website, your browser always uses a secure and encrypted connection called HTTPS, keeping your data safe from hackers who might try to steal it. When a website has this feature enabled, it tells your browser to only connect through the HTTPS protocol, even if you try to use the less secure HTTP protocol. This is important because it stops bad guys from stealing your sensitive information, like your login details or credit card numbers, while you’re visiting a website.
HSTS also has a feature called “preloading.” Websites can ask to be on a special list that makes sure HSTS is always turned on, even if you’ve never visited their site before. This extra layer of security helps protect you from certain types of attacks.
Table of Contents
What is the HSTS Header?
The HTTP Strict Transport Security header is an important part of web communication that helps make connections more secure. When a website sends this header to a user’s browser, it tells the browser to always connect to that website using a secure connection called HTTPS. This means all communication between the browser and the website will be protected and encrypted.
This header ensures that visits to a website are done securely and that the user’s personal data is protected from potential threats. It prevents browsers from trying to connect to the website through an insecure connection, which could expose users’ personal information.
According to Mozilla, “The HTTP Strict-Transport-Security response header (often abbreviated as HSTS) informs browsers that the site should only be accessed using HTTPS”.
The HSTS header in HTML
The HTTP Strict Transport Security header is not a part of HTML itself, but a security feature set up on the web server through HTTP headers. It’s important to note that this header is not directly defined or configured in the HTML code of a web page, it’s configured on the web server.
When a web server sends this header to a user’s browser, it tells the browser to always connect to the website using a secure HTTPS connection instead of an insecure HTTP connection. This is done to improve security and ensure that all communication between the browser and the website is encrypted and protected.
The function of the HSTS header
The HSTS (HTTP Strict Transport Security) header has one main job: to make web connections more secure. It does this by telling your web browser to always connect to a website using a safe connection called HTTPS. This means that all communication between your browser and the website will be protected and encrypted.
This header ensures that when you visit a website, it happens securely, keeping your personal information safe and preventing connections from being vulnerable to possible attacks. It helps make your online experience safer.
W3Techs indicate that HSTS is used by 27,4% of websites currently.
HSTS Syntax
The syntax of the HTTP Strict Transport Security header is pretty straightforward. It’s used in the server’s response and follows a simple format. Here’s the basic structure:
Strict-Transport-Security: max-age=value[; includeSubDomains][; preload]
HSTS Directives
The directives help control various aspects of how the header works for a website. Here are the common directives:
- max-age: this is the most important part. It indicates how long (in seconds) the browser should remember to use HTTPS when connecting to the website. For example, max-age=31536000 means the browser will remember this policy for one year.
- includeSubDomains (optional): if this directive is included, the HSTS policy applies not only to the main domain but also to all subdomains. For example, using “Strict-Transport-Security: max-age=31536000; includeSubDomains” ensures that all subdomains of the website also use HTTPS.
- preload (optional): This directive indicates that the website wants to be considered for the HSTS preload list in browsers. This means that the header will be automatically enforced, even for users who have never visited the site before. To be preloaded, you must meet certain security requirements and submit a request to the browser.
HSTS Header Examples
Let’s see a few examples of HSTS headers with different configurations.
Basic setting: this header sets a simple policy for 1 year for the main domain:
Strict-Transport-Security: max-age=31536000
Subdomains: this header applies the policy to all subdomains of the main domain for 6 months:
Strict-Transport-Security: max-age=15552000; includeSubDomains
Preload: this header requests inclusion in the HSTS preload list and sets a policy for 1 year for the main domain and its subdomains:
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
HSTS with Preload and Excluded Subdomains: this header requests inclusion in the preload list, sets a policy for 1 year for the main domain and its subdomains but excludes a specific subdomain (e.g., “subdomain.example.com”):
Strict-Transport-Security: max-age=31536000; includeSubDomains; excludeSubDomains=subdomain.example.com; preload
These examples show different HSTS header configurations that web servers can send as part of their HTTP responses to enhance the security of web connections and protect users against security threats. Keep in mind that the duration (max-age) and the inclusion of subdomains (includeSubDomains) can vary based on the website’s security needs. The preload option is optional and requires meeting specific requirements for inclusion in browsers’ preload lists.
HSTS browser compatibility
It works well with most modern web browsers, which means it’s effective for making web connections more secure.
Browsers like Google Chrome, Mozilla Firefox, Microsoft Edge, and Safari support it. Some of them even have a list of websites that use it for added security. Older versions of Internet Explorer may not fully support it, so it’s better to encourage users to use more up-to-date and secure browsers.
Mobile browsers on Android and iOS devices also support it, including Chrome and Safari on mobile. Some browsers, like Chrome and Firefox, have a special feature called “preloading.” Websites can ask to be on a list in these browsers so that the header is enforced, even for people visiting the site for the first time.
How to configure HSTS?
The configuration of this header can vary depending on the web server you are using. Below, we will provide you with general instructions for setting up HSTS on various popular web servers, as well as on Cloudflare.
Configuring HSTS on Nginx
Open your Nginx site configuration file in a text editor. Usually located in /etc/nginx/sites-available/ or /etc/nginx/conf.d/, depending on your Linux distro.
Add the following lines within the server block to enable HSTS:
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
This sets a policy for 1 year (31536000 seconds) and includes subdomains (includeSubDomains).
Save and close the configuration file, and now restart Nginx to apply the changes:
systemctl restart nginx
Setting up HSTS on Apache
Open your Apache site configuration file in a text editor, on most moderns distros it’s located in /etc/apache2/sites-available/
Add the following lines within the desired virtualhost block to enable this header:
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Save and close the configuration file.
Don’t forget to enable the headers module if it’s not already enabled:
a2enmod headers
Restart Apache to apply the changes:
systemctl restart apache2
How to set HSTS on Caddy
Open your Caddyfile in a text editor.
Add the following lines to enable it:
tls { max_age 31536000 include_subdomains }
Save the file and restart Caddy:
systemctl restart caddy
Configuring HSTS on Lighttpd
Open the Lighttpd configuration file in a text editor, it’s usually located in /etc/lighttpd/lighttpd.conf.
Add the following line within the server section to enable HSTS:
setenv.add-response-header = ("Strict-Transport-Security" => "max-age=31536000; includeSubDomains")
Save and close the configuration file, then restart Lighttpd to apply the changes:
systemctl restart lighttpd
Enabling HSTS on LiteSpeed
If you’re using LiteSpeed along with Apache’s configuration, for example in a cPanel server, just add the following header to your .htaccess file:
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
If you’re using LiteSpeed’s native configuration, then log in to the LiteSpeed web admin interface.
Click on Virtual Hosts and then on the desired virtual host, now click on Context > Add, select Static type.
Now set the context URI to / and add the header under the setting labeled “Extra Headers”:
Strict-Transport-Security “max-age=31536000”
Now just restart LiteSpeed to apply the changes.
Configuring HSTS on Cloudflare
For Cloudflare, you can enable the header through their web control panel:
- Log in to your Cloudflare account.
- Select the domain you want to configure.
- Go to the “SSL/TLS” section and choose “Edge Certificates.”
- In the “HTTP Strict Transport Security (HSTS)” section, you can enable it and configure the settings according to your needs.
Save the configuration.
Setting HSTS on IIS
- Open IIS Manager.
- Select the site where you want to enable HSTS.
- Double-click HTTP Response Headers.
- In the Actions panel, click Add.
- Set these values:
- Name: Strict-Transport-Security
- Value: max-age=31536000; includeSubDomains; preload
- Click OK to save the header.
Testing the HSTS configuration
If you want to test your current HSTS configuration, just follow our steps:
- Access our web security scanner.
- Input your domain in the scan box.
- Now tick the two boxes below (‘Clear cache’ and ‘Follow redirects’).
- Hit the Scan button.
- Now scroll down to the ‘HTTP Security Headers’ section and check the ‘HSTS header’ results: a ‘Passed’ in green is good. However, if you get a ‘Failed’ in red, you must update your current settings.
Fixing the HSTS header misconfiguration
How to fix the missing HSTS header reported by our web security scanner? Fixing this missing header is actually pretty simple, in this article we have already included the necessary steps to fix this HTTP misconfiguration in popular web servers like Apache, Nginx and LiteSpeed, and we have also included the steps to fix it on Lighttpd, Caddy and CloudFlare. You can find this information a few paragraphs above.
HSTS FAQ
What does HSTS mean?
It stands for “HTTP Strict Transport Security.” It’s a web security feature that ensures web browsers only make secure connections (HTTPS) to a specific website, helping to protect against certain types of cyberattacks.
Is HSTS necessary?
While this feature isn’t absolutely necessary, it’s highly recommended, especially for sites that handle sensitive information like passwords or credit card data. Implementing the header significantly improves security by ensuring that connections to your website are always secure.
Is HSTS a vulnerability?
No, it is not a vulnerability. In fact, it’s a security measure designed to address vulnerabilities related to data transport security, such as Man-in-the-Middle attacks and session hijacking.
Summary
HTTP Strict Transport Security (HSTS) is very important for boosting web security. It ensures your web browser always connects to websites using a secure and encrypted connection (HTTPS), safeguarding your data from potential hackers. This header tells your browser to use HTTPS exclusively, even if you try to use the less secure HTTP protocol.
It works with popular browsers like Chrome, Firefox, Edge, and Safari. Some older browsers might not fully support it, so it’s best to use updated ones. Mobile browsers on Android and iOS also support it.