HTTP Strict Transport Security or HSTS is a web security policy mechanism that helps websites to prevent various attacks like Protocol Downgrade Attacks and Cookie Hijacking (To know more on Cookie Hijacking : Cookie Hijacking) Using this HSTS policy, webapplications declare to web browsers that only a secure HTTPS connection should be used to interact with the website and insecure HTTP protocol should never be used up to a certain specified time, for example one year.
Why HTTP Strict Transport Security
When a web browser connects with a website, normally there is no way for the browser to know whether the website uses secure HTTPS connection or an insecure HTTP connection. So, if the webserver establishes an insecure HTTP connection, there is no way for the web browser to know whether it was meant to be a HTTP connection or an insecure connection is established because of an attack.
For example, in a Protocol Downgrade Attack, the attacker intercepts the initial conversation between the web browser and the webserver and changes the actual conversation in such a way that both the webserver and the web browser are tricked to believe that the connection was meant to be an insecure unencrypted connection only. They will think SSL/TLS is not implemented. And then, the attacker is free to steal sensitive data transferred over the insecure connection. You would find details of such an attack here : TLS Downgrade Attack For Email Transport.
HTTP Strict Transport Policy or HSTS is a policy that can safeguard websites from these attacks. Using this policy, the webserver sends a header to the web browser and lets it know that all connections made to the website is means to be a secure HTTPS connections. So, if the web browser finds anything otherwise, an error message is displayed (e.g. The server’s TLS certificate is not trusted) and the user gets warned about a possible attack.
How is HTTP Strict Transport Security implemented
HTTP Strict Transport Security or HSTS is implemented in the following manner :
When a web browser connects with the webserver for the first time or first time after a certain interval, the webserver sends a header to the web browser , e.g. Strict-Transport-Security: max-age=31536000, to indicate that all connections made to the website for that interval max-age, one year in this example, should be a secure HTTPS connection.
The web browser turns any insecure http link referring to the website into a secure https link.
Now onward, up to the max-age time, if any connection to the website fails to be a secure connection, an error message (e.g. The server’s TLS certificate is not trusted) is displayed to the user, so that the user can be warned in advance about a possible attack.
Limitations of HTTP Strict Transport Security
When a web browser connects with the webserver for the first time or the first time after the certain interval max-age specified by HSTS policy of the website, the attacker can intercept and change the HSTS policy header of the website. And in that case, HSTS would fail to provide the intended security.
Google Chrome, Mozilla Firefox and Internet Explorer/Microsoft Edge address this limitation by maintaining a list of websites knows to implement HSTS policy, so that the attacker cannot intercept and change the initial conversation to take advantage of that.
Another solution is to implement HSTS policy using DNS records and accessing them via secure DNSSEC, so that after typing the URL in the address bar of the web browser, when a domain name resolution is performed, the web browser gets informed that the website implements HSTS.