Monday, October 26, 2020

What is the HTTP Strict-Transport-Security header & how to implement in your web application

What is the HTTP Strict-Transport-Security header & how to implement in your web application?

HSTS (HTTP Strict-Transport-Security) strengthens your app’s ability to enforce TLS encryption of data in transit by forcing the use of the secure HTTPS protocol. 

This header is important because it can mitigate “man-in-the-middle” where hackers can force a server to strip TLS from data in transit.

Using this header will help the browser always transmit data to your application using HTTPS, even if HTTP is explicitly defined as the protocol to be used.

Secondly, HSTS forces the browser to terminate an HTTP connection to your application and so that users cannot continue interacting using the insecure HTTP protocol. This actually minimises the likelihood of hackers intercepting data in transit.

Large tech companies like Facebook, Google, Gmail, Twitter and PayPal have all implemented HSTS in their web assets. 

How to implement the Strict-Transport-Security header in Apache

The correct syntax for this header in Apache is in the server block of your httpd.conf or equivalent file:

Header always set Strict-Transport-Security "max-age=2592000; includeSubDomains"

How to implement the Strict-Transport-Security header in nginx

The correct syntax for this header in Nginx is in the server block of your nginx.conf or equivalent file:

add_header Strict-Transport-Security "max-age=2592000; includeSubDomains";

How to implement the Strict-Transport-Security header in lighttpd 

Add this to your Lighttpd configuration file, which is usually located at /etc/lighttpd/lighttpd.conf

server.modules += ( "mod_setenv" ) $HTTP["scheme"] == "https" { setenv.add-response-header = ("Strict-Transport-Security" => "max-age=300; includeSubDomains; preload") }

How to implement the Strict-Transport-Security header in IIS

  1. Launch IIS Manager.
  2. On the left pane of the window, click on the website you want to add the HTTP header and double-click on HTTP Response Headers.
  3. In HTTP Response Headers window, click on Add… 
  4. On the right pane and type in Strict-Transport-Security for Name and max-age=63072000; includeSubDomains; preload for Value and click OK. The max-age value of 63072000 is the number of seconds for the duration, which in this case equals two years. You need to enter a value of at least one year.

What does "preload" do when used in the Strict-Transport-Security header?

You can add the preload directive to your HSTS headers and this effectively tells the Chromium project that you want your web application to always be loaded using HTTPS, regardless of whether the header is actually included.

But be careful with this directive. Once implemented and recognised by the Chromium project, it can take up to a year to have it undone. 

This will not be a problem for you if your web application can function without HTTP access. 

How to verify that you've correctly implemented the Strict-Transport-Security header

It's simple and it's free. Use this free HTTP header scanning service to understand if you have correctly implemented the HSTS header on your web server.

The advanced next step in protecting your web application against hackers is to run regular vulnerability scans using an easy-to-use web application vulnerability scanning tool, like Cyber Chief.

Get your free trial of Cyber Chief now to see how it can help you grow your profits and keep attackers out. 


 
–>