Skip to content

Secure HTTP Strict Transport Security (HSTS) Implementation

Secure HTTP Strict Transport Security (HSTS) Implementation

Description

HTTP Strict Transport Security (HSTS) is a web security policy that enforces secure (HTTPS) connections between users and the web server by communicating the policy via the "Strict-Transport-Security" HTTP response header. The application has implemented a secure HSTS policy to protect against man-in-the-middle attacks, ensuring all communications are encrypted and enhancing overall security.

Key Features of the HSTS Implementation:

  1. Enforced HTTPS: The HSTS policy automatically converts any insecure HTTP links to secure HTTPS links, ensuring all interactions are encrypted.

  2. Prevention of Insecure Access: If a secure connection cannot be established (e.g., due to an invalid TLS certificate), the user agent will block access, preventing potential security risks.

  3. Configurable Duration: The HSTS policy specifies a long enough duration to ensure that users will continue to access the application securely over time.

  4. Subdomain Support: If applicable, the HSTS policy includes the "includeSubDomains" directive, extending security to all subdomains.

  5. Preload List: Websites can submit their domains to a preload list built into browsers, ensuring HSTS is enforced from the first visit, protecting against attacks on the initial connection.

  6. Max-Age Setting: The max-age directive lets sites specify how long browsers should enforce HTTPS, with options to set it for long periods, like years.

  7. No Mixed Content: HSTS ensures all resources, including images and scripts, are loaded over HTTPS, preventing insecure content on secure pages.

  8. Error Handling: When an HSTS error occurs, such as an invalid certificate, browsers block access without allowing users to bypass the warning, improving security.

  9. Header-Only Implementation: HSTS is implemented via a simple HTTP header, making it easy to configure without changing site content.

  10. Automatic HTTPS Rewrites: Some browsers automatically rewrite URLs to HTTPS before making a request, even if the user types HTTP in the address bar.

  11. Non Secureable Port Blocking: HSTS prevents connections to insecure ports, such as port 80, for the specified domain.

This secure implementation of HSTS ensures that users can safely interact with the application, protecting sensitive data from interception and misuse.

Recommendation

The implementation is secure, no recommendations apply.