Revision 70891 of Strict-Transport-Security

  • Revision slug: Security/HTTP_Strict_Transport_Security
  • Revision title: HTTP Strict Transport Security
  • Revision id: 70891
  • Created:
  • Creator: Sheppy
  • Is current revision? No
  • Comment fix errors; 61 words added, 37 words removed
Tags: 

Revision Content

{{ gecko_minversion_header("2.0") }}

HTTP Strict Transport Security is a security feature that lets a web site tell browsers that it should only be communicated with using HTTPS, instead of using HTTP.

How it helps

If a web site accepts a connection through HTTP and redirects to HTTPS, the user in this case may initially talk to the non-encrypted version of the site before being redirected, if, for example, the user types http://www.foo.com/ or even just foo.com.

This opens up the potential for a man-in-the-middle attack, where the redirect could be exploited to direct a user to a malicious site instead of the secure version of the original page.

The HTTP Strict Transport Security feature lets a web site inform the browser that it should never load the site using HTTP, and should automatically convert all attempts to access the site using HTTP to HTTPS requests instead.

An example scenario

You log into a free WiFi access point at an airport and start surfing the web, visiting your online banking service to check your balance and pay a couple of bills. Unfortunately, the access point you're using is actually a hacker's laptop, and they're intercepting your original HTTP request and redirecting you to a clone of your bank's site instead of the real thing. Now your private data is exposed to the hacker.

Strict Transport Security resolves this problem; as long as you've accessed your bank's web site once using HTTPS, and the bank's web site uses Strict Transport Security, your browser will know to automatically use only HTTPS, which prevents hackers from performing this sort of man-in-the-middle attack.

Enabling Strict Transport Security

Enabling this feature for your site is as simple as returning the Strict-Transport-Security HTTP header when your site is accessed over HTTPS:

Strict-Transport-Security: max-age:expireTime [; includeSubdomains]
expireTime
The time, in seconds, that the browser should remember that this site is only to be accessed using HTTPS.
includeSubdomains {{ optional_inline() }}
If this optional parameter is specified, this rule applies to all of the site's subdomains as well.
Note: You do not return the Strict-Transport-Security header when your site is accessed using HTTP; this would allow an attacker to intercept that and perform a man-in-the-middle attack.

How the browser handles it

The first time your site is accessed using HTTPS and it returns the Strict-Transport-Security header, the browser records this information, so that future attempts to load the site using HTTP will automatically use HTTPS instead.

When the expiration time specified by the Strict-Transport-Security header elapses, the next attempt to load the site via HTTP will proceed as normal instead of automatically using HTTPS.

Whenever the Strict-Transport-Security header is delivered to the browser, it will update the expiration time for that site, so sites can refresh this information and prevent the timeout from expiring.

Specification

See also

Revision Source

 
<p>{{ gecko_minversion_header("2.0") }}</p>
<p>HTTP Strict Transport Security is a security feature that lets a web site tell browsers that it should only be communicated with using HTTPS, instead of using HTTP.</p>
<h2>How it helps</h2>
<p>If a web site accepts a connection through HTTP and redirects to HTTPS, the user in this case may initially talk to the non-encrypted version of the site before being redirected, if, for example, the user types <span class="nowiki">http://www.foo.com/</span> or even just <span class="nowiki">foo.com</span>.</p>
<p>This opens up the potential for a man-in-the-middle attack, where the redirect could be exploited to direct a user to a malicious site instead of the secure version of the original page.</p>
<p>The HTTP Strict Transport Security feature lets a web site inform the browser that it should never load the site using HTTP, and should automatically convert all attempts to access the site using HTTP to HTTPS requests instead.</p>
<h3>An example scenario</h3>
<p>You log into a free WiFi access point at an airport and start surfing the web, visiting your online banking service to check your balance and pay a couple of bills. Unfortunately, the access point you're using is actually a hacker's laptop, and they're intercepting your original HTTP request and redirecting you to a clone of your bank's site instead of the real thing. Now your private data is exposed to the hacker.</p>
<p>Strict Transport Security resolves this problem; as long as you've accessed your bank's web site once using HTTPS, and the bank's web site uses Strict Transport Security, your browser will know to automatically use only HTTPS, which prevents hackers from performing this sort of man-in-the-middle attack.</p>
<h2>Enabling Strict Transport Security</h2>
<p>Enabling this feature for your site is as simple as returning the <code>Strict-Transport-Security</code> HTTP header when your site is accessed over HTTPS:</p>
<pre>Strict-Transport-Security: max-age:<em>expireTime</em> [; includeSubdomains]
</pre>
<dl> <dt><code>expireTime</code></dt> <dd>The time, in seconds, that the browser should remember that this site is only to be accessed using HTTPS.</dd> <dt><code>includeSubdomains</code> {{ optional_inline() }}</dt> <dd>If this optional parameter is specified, this rule applies to all of the site's subdomains as well.</dd>
</dl>
<div class="note"><strong>Note:</strong> You do <strong>not</strong> return the <code>Strict-Transport-Security</code> header when your site is accessed using HTTP; this would allow an attacker to intercept that and perform a man-in-the-middle attack.</div>
<h2>How the browser handles it</h2>
<p>The first time your site is accessed using HTTPS and it returns the <code>Strict-Transport-Security</code> header, the browser records this information, so that future attempts to load the site using HTTP will automatically use HTTPS instead.</p>
<p>When the expiration time specified by the Strict-Transport-Security header elapses, the next attempt to load the site via HTTP will proceed as normal instead of automatically using HTTPS.</p>
<p>Whenever the Strict-Transport-Security header is delivered to the browser, it will update the expiration time for that site, so sites can refresh this information and prevent the timeout from expiring.</p>
<h2>Specification</h2>
<ul> <li><a class=" external" href="http://tools.ietf.org/html/draft-hodges-strict-transport-sec-02" title="http://tools.ietf.org/html/draft-hodges-strict-transport-sec-02">IETF Draft</a></li>
</ul>
<h2>See also</h2>
<ul> <li>Blog post: <a class=" external" href="http://blog.sidstamm.com/2010/08/http-strict-transport-security-has.html" title="http://blog.sidstamm.com/2010/08/http-strict-transport-security-has.html">HTTP Strict Transport Security has landed!</a></li> <li>Blog post: <a class=" external" href="http://hacks.mozilla.org/2010/08/firefox-4-http-strict-transport-security-force-https/" title="http://hacks.mozilla.org/2010/08/firefox-4-http-strict-transport-security-force-https/">HTTP Strict Transport Security (force HTTPS)</a></li>
</ul>
Revert to this revision