What is HTTP Strict Transport Security?

From Wikipedia, the free encyclopedia

HTTP Strict Transport Security (HSTS) is a web security policy mechanism that helps to protect websites against protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers (or other complying user agents) should interact with it using only secure HTTPS connections,[1] and never via the insecure HTTP protocol. HSTS is an IETF standards trackprotocol and is specified in RFC 6797.

The HSTS Policy is communicated by the server to the user agent via an HTTPS response header field named “Strict-Transport-Security“.[2] HSTS Policy specifies a period of time during which the user agent should only access the server in a secure fashion.[3] As the HSTS HTTP Header is only recognized when sent over an HTTPS connection, websites can still allow users to interact with the website using HTTP, to allow compatibility with non-HTTPS user agents.

More simply speaking, HSTS prevents hackers and scammers from hosting a fake duplicate web page that the user can be fooled into using via DNS Spoofing or some other attack.  It also forces the web browser to use secure HTTPS.

For Example, a hacker can setup their own free Wifi hotspot, and advertise “Free Wifi” in a public place.  Since the attacker controls this network, they can setup DNS spoofing to forge the DNS for a website, like facebook.com, to forward to their own phishing site rather than the legit facebook’s website.  The user then browses to the fake facebook page and tries to login.  This results in the attacker gaining the user’s facebook credentials.

With HSTS, all modern browsers are aware and instructed to only use only strict HTTPS .  This prevents the user’s own browser on the client side from even establishing a connection and serving the fake page.

Image result for hsts browser error

With the error above, the user is warned that they do not have a secure connection.

How to Test HTTP Strict Transport Security (HSTS)

Testing for HSTS can be done by checking for the existence of the HSTS header in the server’s HTTP response code.

One of the easiest ways to do this is to use Curl, demonstrated below.

curl -s -D- https://www.twitter.com/ | grep strict

If there is no output then HSTS is most likely not enabled.  Below is the full header without the grep staement.


With the “strict-transport-security” statement, we can clearly see that HSTS is enabled.