قالب وردپرس درنا توس
Home / Tips and Tricks / What is HSTS and how do you set it up? – CloudSavvy IT

What is HSTS and how do you set it up? – CloudSavvy IT



Locked and unlocked icons
Shutterstock / Pavel Ignatov

HTTPS is very secure, but has one flaw: it̵

7;s not enabled by default. An attacker in the middle could hijack a user’s connection before you can instruct them to use HTTPS. HSTS solves this problem and enables HTTPS for the entire site.

SSL encryption is primarily a requirement for HSTS, otherwise enabling HSTS will only make it impossible to access your site. You can read our guide on how to set up free SSL certificates with LetsEncrypt to enable HTTPS on your website.

How does HSTS work?

HSTS stands for HTTP Strict Transport Security and regulates how a user’s browser should connect to your website.

This is how the connection to your site usually works. A user wants to connect to your website and joins your server with a prompt request. Your server takes over the responsible task and sends a 301 Moved Permanently response to the browser. It tells him that the requested HTTP address must be redirected to HTTPS. The user continues as usual and surfs safely.

However, an attacker with control of the connection (as is the case with man-in-the-middle attacks) could easily block the 301 response and take control of that user’s browser session. This is a big problem as it defeats the purpose of encrypting the site in the first place.

With HSTS enabled, the server sends the same 301 Moved Permanently response, but also sends a header that says, “Hey, I don’t support HTTP. Don’t even try to make more HTTP requests as I’ll be redirecting them all. “The browser receives the message and routes itself to HTTPS before sending. This ensures that your site is always fully HTTPS by default.

HSTS preloading

However, standard HSTS has one major flaw: the very first connection a user makes is still insecure. If a user has already used your website, the browser will consider the HSTS requirement in the future. However, the initial HSTS response is uncertain. If a user is browsing a coffee shop and opening your website for the first time (or the first time on a mobile device), their connection can still be hijacked.

HSTS preloading is an initiative of the Chromium project to solve this problem. The Chromium Project maintains a list of websites that are always HSTS enabled. This list is built into most popular browsers and the browser checks it before making requests to new websites.

If you are on the list, even if the user has never interacted with your site before, the user will act like they’ve seen your HSTS header and never communicate using HTTP. This makes the connection completely secure from the start.

Activate HSTS and join the preload list

HSTS can be activated with a simple header added to all responses your server sends:

Strict-Transport-Security: max-age=300; includeSubDomains; preload

You can include this in the configuration file of your web server. For example, in Nginx, you can set the header by inserting a add_header Line in your server block:

add_header Strict-Transport-Security 'max-age=300; includeSubDomains; preload; always;'

And for Apache, the command is similar when you use the command Header always set Line:

Header always set Strict-Transport-Security "max-age=300; includeSubDomains; preload"

However, there are a few more steps you can take to make sure everything is working properly and to be authorized to preload.

First, make sure you redirect all HTTP requests to HTTPS. On Nginx, you can do this by listening to all port 80 (HTTP) requests and sending a 301 request with the URL changed to the HTTPS equivalent:

server {
  listen 80;
  return 301 https://$host$request_uri;
}

Also, to qualify for pre-loading, you need to make sure that all of your subdomains are covered by your SSL certificate and that you are serving them over HTTPS. You can do this with a wildcard certificate that you can get for free from LetsEncrypt. If you do not subpoena, it is not required, but is still advisable.

You can verify that HSTS is working properly by loading your site with the header enabled and then going chrome://net-internals/#hsts and enter your site name in the “Query HSTS / PKP Domain” search tool. If your site is showing output like this, then HSTS is enabled.

HSTS is enabled if your site is displaying this output

You should also check whether the strict-transport-security The header is included in your site’s response headers. You can do this from the Network tab in the Chrome Development Console:

Verify that the strict transport security header is included in your site's response headers

Once you’ve done all of this, the best thing to do is to test that everything works and that nothing broke when you turned on HSTS. If there aren’t any issues, you can go to the submission preload page, enter your domain name, and submit your website.

Problems with HSTS and HSTS preloading

With HSTS, your site must now use HTTPS for everything. This includes every subdomain, including internal tools. Every subdomain you have must have a valid SSL certificate and be secured with HTTPS. Otherwise, you will not be able to access it for the duration of the HSTS header (which can be up to two years). Having a wildcard certificate can solve some of these problems. However, you need to run tests before activating it for an extended period of time.

The main problem with HSTS preloading is that it is very permanent. The minimum max-age is a year and once your site is on the list there is no way to leave the list without going through a lengthy removal process that requires every user to update their browser to apply the changes.

This meta bug list with removal requirements allows you to search for the main real-world problems. Uber had problems with subdomains. Third and higher level subdomains may not be supported with normal wildcard certifications. A website from Sweden even reports significantly lower advertising revenue because the local advertisers there do not load their resources via HTTPS and HSTS blocks any unsecure HTTP request that is made while the user is connected to your website.

The best way to avoid these issues is to introduce HSTS gradually before moving from permanent to preinstalled. The Chromium project recommends testing at intervals by setting max-age Worth up to five minutes first to test if it works:

max-age=300; includeSubDomains

Then to a week for a longer test:

max-age=604800; includeSubDomains

Then for a month until you are sure there are no problems:

max-age=2592000; includeSubDomains

When something goes wrong and you hire a really long one max-age Property allows you to delete the local flag from Chrome net-internals Page.

Once you are sure that nothing will go wrong with only having HTTPS enabled at all times, you can make your settings max-age to add two years preload Directive and submit your website for submission.


Source link