HSTS Preload ensures that your website securely loads in user’s the web browsers. It ensures no cyber criminal is able to redirect your website or application users to non-secure channel. It helps to improve your website security in a large scale. Just having TLS / SSL is not helping you that much!
Contents – HSTS Preload
- HSTS Preload
- Enable HSTS Preload
- Recommended Papers
Introduction – HSTS Preload
There was a time when the internet run over only HTTP — Hyper Text Transfer Protocol. Information transferred over HTTP is plain text, can be easily read. So cyber criminals misused information and carried out crimes easily. Then HTTPS came, which is a secured version of HTTP. In HTTPS data is transferred through an encrypted channel. That means your data is no longer served as plain text. Hackers had to face trouble to read / intercept data. Then a method came to light, namely Protocol Downgrade Attack. This attack can help someone stripping the TLS / SSL of a website. And redirect users to a non-secure version of the site. Then HSTS was designed to solve this problem.
What is HSTS?
HTTP Strict Transport Security is a technique to tell the web browser to load your site on HTTPS (with TLS / SSL) only. And if any client fail to connect over TLS, then the website will not be served to that client at all. This means users of your website or application will use it through HTTPS connection. You will need to set a HTTP Header to enable HSTS.
To enable HSTS, HTTPS needs to be enabled first. That means, your website need to have a valid certificate. You will need a certificate from a CA, self-signed certificates won’t help. HSTS over plain HTTP will have no effect, rather it will be ignored. HSTS is a response header field.
HTTP headers are, more precisely, the code that passes information between a web server and a user. It has two main parts, header name and value. Header name and header value are separated by a colon(:). There are mainly four types of header fields. They are, Standard Requests, Common non-standard Requests, Standard Responses, and Common non-standard responses.
Advantages of HSTS
A have SSL enabled which helps creating encrypted communication. But let’s imagine that someone converted that secured website to a non-secure(HTTP) site. Yes, that is actually possible! Sounds terrible, I know. But it is quite possible that a cyber criminal used Man-In-The-Middle attack to achieve it. People won’t may notice, because there are a lot of website without TLS / SSL certificate. And if the user came for the first to that website then it is possible that the user may not know that the website has any certificate at all.
Man-In-The-Middle attack is a technique that helps someone to get in the middle of you and your router. Hackers makes the victim’s traffic go through their machine. Let me make it simpler, let’s imagine you have to water tanks. Water is going to one tank from another. Now, in this particular attack someone will intercept the waterline between two water tanks. They can do whatever they want with the water going to the other tank and vice versa.
Don’t worry! HSTS is here to the rescue. Using HTTP String Transport Security, you can tell the browser to remember your site as HTTPS-Only for a period of time. HSTS allows web browser to cache the HTTPS state for the sub-domains of your website too.
Limitations of HSTS
You may have noticed two issues in above texts written in Advantages. Even if you didn’t, let me break it down. If HTTPS-Only state is saved as cache, then what happens when a user visit the website for first time? And as it has a time limit, what if someone messes with time in victims machine with incorrect NTP packets.
The Network Time Protocol (NTP) is a networking protocol for clock synchronization between computer systems over packet-switched, variable-latency data networks. In operation since before 1985, NTP is one of the oldest Internet protocols in current use. NTP was designed by David L. Mills of the University of Delaware.Wikipedia
These two are very important question that indicates problem of Strict Transport Security. Because to cache the state, the website needs to be loaded through HTTPS in the web browser. Also someone can possible change time of victims machine to a time when the HSTS policy expires.
What is HSTS Preload?
HSTS Preload means your website is preloaded in the browser as HTTPS-Only. Even if a user never visited your website, they will see the site though a secure connection. Because the web browser developers had included your site to preloaded list as HSTS site.
However, this whole process can take time, maybe months. Because your website will be hard-coded in the browsers to load over HTTPS only. You will see the update upon the next release of a browser. Sometimes it takes months until all browser releases a new version. And for any reason if you wish to remove the site from preload list, it will take time too. So, think before enabling preload.
It helps solving common problems of HTTP Strict Transport Security. Even if user visits your website for the first time the web browser will load it over HTTPS. And without the HTTPS protocol the site won’t load at all. In other words your HTTP url won’t work. In this case you need to make sure that you always have a valid certificate. And your website is redirect to the HTTPS version permanently. You can use Certbot, an open source software to deal with the SSL problem. Certbot gives you an ability to automate the task of renewing an existing SSL. But if you using paid SSL, then renew them when needed manually. HSTS Preload also prevents Session Hijacking attacks. So, it’s a good thing to have your domain HSTS Preloaded.
At the same time, the internet is quite big. There are so many websites and countless being created everyday. It is quite hard to include every domain with TLS / SSL certificate to include in the preload list. Arguably, it will be impossible to include the entire network or WEB. However, as a website admin you can do your part. You can declare HSTS rules in the DNS records of your domain. And submit your site manually to be added in the preloaded list.
In simple words, Domain Name System(DNS) is like a database table that stores your domain information. Information like A records, MX records, TXT records etc. What loads in a web browser after someone types in the domain name depends on specified DNS records.
Enable HSTS Preload
In this section, you will see how to manually add a website to the preloaded list of web browsers. This requires you to submit your website at hstspreload.org. You can check the current status of your website.
But do remember that you will need a valid certificate and HSTS header set before you submit your site. Also make sure your website is redirected to HTTPS permanently. Be careful with redirects, don’t create redirect chain. Wait a while if site’s header not updated promptly.
HSTS is a HTTP header, it needs to be implemented on the server. Please follow these steps,
- At first, please login to your server.
a2enmod headersin a terminal, provide sudo if necessary.
- Then please restart your apache server. You may execute
service apache2 restartfor Ubuntu or similar distributions, again use sudo if needed. You might want to execute
service apache2 gracefulif you site is busy at the moment.
Apache will advise its threads to exit when idle, and then apache reloads the configuration (it doesn’t exit itself), this means statistics are not reset.jeffmcneill on StackOverflow
- After that, please go to available sites config folder, usually /etc/apache2/sites-available in Ubuntu, and add
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"in the virtualhost section of SSL port(443).
- Finally, restart your apache server again to make the changes.
If you are using Shared Hosting and don’t have SSH access to the server (usually you won’t), you can use
.htaccess file to declare HSTS policy. Just open the file and add these lines bellow, at the end of it. In this case, make sure header module is enabled on your server. You can talk with your hosting support, usually basic required featured are enabled.
Enabling HSTS by setting HSTS policy is also pretty simple. At first please login to your server and open the server block. Then add
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; within the block, maybe at the end.
Now when you are done configuring your server, its time to submit the site to hstspreload.org! You will see error if there’s not any of the requirements not met. If you have a valid certificate, right redirect rules set, and header properly set then you won’t face any casualties. But I suggest waiting a while before trying to submit. Once you submit you domain, it will be added to preloaded list eventually. As mentioned earlier it can take sometimes, maybe months. You will see the changes in the newer versions of the web browsers.
- ForceHTTPS: Protecting High-Security Web Sitesfrom Network Attacks
- The Need for Coherent Web Security Policy Framework(s)
- RFC 6797
HSTS Preload is one of the security tweaks that can improve your website security. Having a secure website is must. Your website is as valuable as your business. It represent your products and services to the world. Moreover, a good website ranking in Search Engines can increase your sales significantly. Even if you are not into eCommerce, a good website represent your business.
Disclaimer: This content – HSTS Preload — Using TLS / SSL Certificate Properly and everything used in this content are copyrighted materials of S M Mahmudul Hasan, please credit properly if you are using material — image, paragraph etc.