Monday, October 26, 2020

What is the HTTP Strict-Transport-Security header & how to implement in your web application

What is the HTTP Strict-Transport-Security header & how to implement in your web application?

HSTS (HTTP Strict-Transport-Security) strengthens your app’s ability to enforce TLS encryption of data in transit by forcing the use of the secure HTTPS protocol. 

This header is important because it can mitigate “man-in-the-middle” where hackers can force a server to strip TLS from data in transit.

Using this header will help the browser always transmit data to your application using HTTPS, even if HTTP is explicitly defined as the protocol to be used.

Secondly, HSTS forces the browser to terminate an HTTP connection to your application and so that users cannot continue interacting using the insecure HTTP protocol. This actually minimises the likelihood of hackers intercepting data in transit.

Large tech companies like Facebook, Google, Gmail, Twitter and PayPal have all implemented HSTS in their web assets. 

How to implement the Strict-Transport-Security header in Apache

The correct syntax for this header in Apache is in the server block of your httpd.conf or equivalent file:

Header always set Strict-Transport-Security "max-age=2592000; includeSubDomains"

How to implement the Strict-Transport-Security header in nginx

The correct syntax for this header in Nginx is in the server block of your nginx.conf or equivalent file:

add_header Strict-Transport-Security "max-age=2592000; includeSubDomains";

How to implement the Strict-Transport-Security header in lighttpd 

Add this to your Lighttpd configuration file, which is usually located at /etc/lighttpd/lighttpd.conf

server.modules += ( "mod_setenv" ) $HTTP["scheme"] == "https" { setenv.add-response-header = ("Strict-Transport-Security" => "max-age=300; includeSubDomains; preload") }

How to implement the Strict-Transport-Security header in IIS

  1. Launch IIS Manager.
  2. On the left pane of the window, click on the website you want to add the HTTP header and double-click on HTTP Response Headers.
  3. In HTTP Response Headers window, click on Add… 
  4. On the right pane and type in Strict-Transport-Security for Name and max-age=63072000; includeSubDomains; preload for Value and click OK. The max-age value of 63072000 is the number of seconds for the duration, which in this case equals two years. You need to enter a value of at least one year.

What does "preload" do when used in the Strict-Transport-Security header?

You can add the preload directive to your HSTS headers and this effectively tells the Chromium project that you want your web application to always be loaded using HTTPS, regardless of whether the header is actually included.

But be careful with this directive. Once implemented and recognised by the Chromium project, it can take up to a year to have it undone. 

This will not be a problem for you if your web application can function without HTTP access. 

How can I test whether I've correctly implemented the Strict-Transport-Security header?

It's simple and it's free. Use this free HTTP header scanning service to understand if you have correctly implemented the HSTS header on your web server.

The advanced next step in protecting your web application against hackers is to run regular vulnerability scans with a user-friendly web application vulnerability scanning tool, like Cyber Chief.

Start your free trial of Cyber Chief now to see not only how it can help to keep attackers out, but also to see how you can ensure that you ship every release with zero known vulnerabilities. 

Or, if you prefer to have an expert-vetted vulnerability assessment performed on your web application you can order your vulnerability assessment from here. Each vulnerability assessment report comes with:

  • Results from scanning your application for the presence of OWASP Top 10 + SANS CWE 25 + thousands of other vulnerabilities.
  • A detailed description of the vulnerabilities found.
  • A risk level for each vulnerability, so you know which ones to fix first.
  • Best-practice fixes for each vulnerability, including code snippets where relevant.
  • One-month free access to our Cyber Chief web app vulnerability assessment & vulnerability management tool.
  • Email support from our application security experts.

Which option do you prefer?