What is HTTP Strict Transport Security (HSTS)?
HTTP Strict Transport Security, or HSTS, is a response header that allows browser to be forced to use HTTPS for every subsequent request that it sends to a server. This means that when a user browses to http://www.networking4all.com, they will automatically be transferred to https://www.networking4all.com without the HTTP request being sent first. This also prevents hackers from forcing a downgrade attack during a Man in the Middle attack, which would force traffic over an unsafe connection instead of the encrypted HTTPS connection.
HSTS works in such a way, that not only direct traffic to the website is automatically transferred to a secure HTTPS connection: It also works for links on an external page that link to the HTTP-URL. The forced use of HTTPS also prevents the session key from being hijacked through cookies.
Setting up HSTS on a server is as simple as adding one response header to the config:
Strict-Transport-Security: max-age= 31536000;
This ensures that the server enforces the use of HSTS for one year, or 31,536,000 seconds.
Frequently asked questions
About SSL certificates
- What is a common name?
- What is a private key and what is a public key?
- What is a wildcard certificate?
- What is an intermediate certificate?
- What is a root certificate?
- What is SNI and when do I need it?
- What are cipher suites?
- What is HTTP Strict Transport Security (HSTS)?
- What is OCSP?
- How does file approver work?