The Ultimate Guide to HSTS Protocol

April 16, 2019

What is HSTS?

HSTS stands for “Hyper Strict Transport Security.” It was originally called “STS,” for “Strict Transport Security,” but since it applies to HTTP, the “H” was added.

The documentation for HSTS was originally published in 2012, so it has been around for quite some time, though it has only really come into the spotlight in the last couple of years. My guess as to why is mainly adoption and the fact that Google has put a lot of recent emphasis on user security concerns.

At its core, HSTS is a policy mechanism that is added to a server that communicates with a user-agent. It instructs the user-agent to only interact with the secure (HTTPS) version of a website.

Below are illustrations of the differences between a server that doesn’t have HSTS and one that does.

The initial request, if not specified as HTTPS from the user-agent, will default to HTTP. Only after the initial request comes back from the server will the user-agent then try to reach the resource using HTTPS. This will continue to be the case if a user tries to access another page using the HTTP request.

The initial request, unless specified by the user as HTTPS, will still be over HTTP (there is an exception to this I will talk about later). But once the HSTS policy is read, any subsequent visits using HTTP will be stopped by the browser until the max-age set for the HSTS policy expires.

Benefits of HSTS Protocol

HSTS protocol does bring additional benefits to a website in terms of both SEO and security. While the benefits do not directly impact organic rank, they can provide an indirect boost.

Page Load

When an HSTS policy is implemented, the browser, after the first non-secure request, will only try to request the secure version of all assets. The time it takes for a browser to request a non-secure resource from the server is only a fraction of a second, but with HSTS protocol in place, that time is now obsolete. Even a fraction of a second in page-load time can create a big impact for organic ranking.

Security

Google has put a lot of emphasis on website security and made an announcement years ago that HTTPS will now be a small ranking factor. Since security is important to Google because it makes a user’s experience better and safer, adding additional security to a website is a no-brainer. By having the HSTS policy in place, you remove that split second where a request could be hijacked by a hacker. This hijacking is called SSL stripping. The initial non-secure (HTTP) request or data transfer to a website can be intercepted and a hijacker can pretend to be the website. They become the “middleman” between a user and the server. So, if credit card details are sent, they get sent to the hacker first, who then sends the request to the server.

Downsides of HSTS Protocol

While there are many benefits of implementing HSTS policy, there are a few valid concerns that I must cover.

  • preload, explained below, is a great feature, but also can’t be undone. If your site for whatever reason has to revert back to HTTP, even if you follow all the rights steps with phasing out the protocol, browsers will not delete the entry from their lists for months until there is a new update out and the user downloads it.
  • includeSubDomains, also explained below, can cause issues if you have unsecured subdomains (e.g. https://blog.example.com). This means you have to make all of your subdomains secure (HTTPS) as well as keep all of those certificates up to date.
  • max-age is also a required attribute and, like the previously-mentioned attributes, can have some downsides. If you ever have to make an unsecured call to the server for whatever reason, this may not work for all visitors who’ve cached the policy already.

How to Implement HSTS Policy

Implementation of an HSTS Policy is pretty straightforward if you are proficient with headers. First, you must be using the HTTPS protocol. HSTS will not work without it. After that is configured, you need to add an additional attribute to the header:

Strict-Transport-Security: max-age=expireTime

expireTime: This should be in seconds. This tells the browser how long the policy should be implemented. This should be set as far ahead as possible.

There are also two additional attributes that can be added to the header response: “includeSubDomains” and “preload.”

includeSubDomains: This instructs the browser that all subdomains under the TLD should also be included in the policy

preload: This instructs the browser that your website has been added to the HSTS preload list. The preload list is a list of websites that browsers know are using the HSTS policy already.

I mentioned earlier that the initial HTTP request to a website — even with HSTS policy — is vulnerable. The preload attribute fixes this, essentially eliminating the potential for “middleman” attacks. Since a browser will already know which websites are using HSTS policy, if a non-secure request comes in, it will automatically switch it to HTTPS even if it’s the first time accessing the website. It will still adhere to the max-age setting.

How to Add HSTS to Header in Apache

This can be done through the hosting account itself; if you have FTP access to the website files and admin privileges, you can do it there, too.

In either case, you need to locate your .htaccess file. This will be hidden by default, so there are instructions out there to show hidden files. It just depends on what FTP client you’re using.

For Filezilla

  • Open the Filezilla FTP program.
  • From the menu bar at the top of the screen, select “Server.”
  • Select “Force showing hidden files.”
  • In the “Remote Site” panel on the right, you should now see all of your files — including any hidden ones.

Once you can see .htaccess, you need to edit it and upload it back to the server through Filezilla, or edit it directly in your host’s file-editing area once you’ve accessed your website files through that method.

You simply add the following code to the .htaccess file. It doesn’t matter where it’s added as long as it’s added on its own line:

Header set Strict-Transport-Security “max-age=31536000” env=HTTPS

 How to Add HSTS to Header in IIS 7/8

Note: These instructions are for installations of IIS 7/8. Additional links to tutorials for other versions are included after these instructions.

  • Run the IIS manager.
  • Choose your website from the installations that are listed.
  • Select “HTTP Response Headers.”
  • Click on “Add” in the “Actions” section
  • In the “Add Custom HTTP Response Header” dialog, add the following:
    1. Name: Strict-Transport-Security
    2. Value: max-age={selected expiration}; includeSubDomains; preload

This should be paired with a regular expression 301 redirect that redirects all non-secure requests (HTTP) to secured requests (HTTPS). HTTPS is a must in order to add the HSTS policy without causing serious issues.

How to Add HSTS to Header in IIS 10.0 version 1709

With IIS 10, enabling HSTS became a lot easier for admins. Since it is native to IIS 10, there are some configuration settings that need to be added in order to enable it. The following example from Microsoft gives a good overview of how to configure these additional attributes. The attributes that need to be configured are “enabled,” “max-age” and “redirectHttpToHttps.”

Below is an example of the code that should be added in IISAdministration Powershell cmdlets:

Import-Module IISAdministration

Reset-IISServerManager -Confirm:$false

Start-IISCommitDelay

$sitesCollection = Get-IISConfigSection -SectionPath “system.applicationHost/sites” | Get-IISConfigCollection

$siteElement = Get-IISConfigCollectionElement -ConfigCollection $sitesCollection -ConfigAttribute @{“name”=”Contoso”}

$hstsElement = Get-IISConfigElement -ConfigElement $siteElement -ChildElementName “hsts”

Set-IISConfigAttributeValue -ConfigElement $hstsElement -AttributeName “enabled” -AttributeValue $true

Set-IISConfigAttributeValue -ConfigElement $hstsElement -AttributeName “max-age” -AttributeValue 31536000

Set-IISConfigAttributeValue -ConfigElement $hstsElement -AttributeName “redirectHttpToHttps” -AttributeValue $true

 

Stop-IISCommitDelay

Remove-Module IISAdministration

There’s also a great tutorial for learning how to add the code above on the iis.net blog.

How to Test HSTS Implementation

There are various ways and websites out there that allow you test the implementation. You can do this using the Chrome browser itself by following the steps below.

1. Visit the website in question and click on the icon on the far right of the browser window to open the customization options menu.

2. Click on “Developer Tools” after hovering over “More Tools.”

3. You’ll see the screen below. Be sure the “Network” tab is selected.

4. Refresh the website or hit CTRL + R. The assets of the website will be loaded in the window to the right.

5. Click on the first asset that is loaded. This will contain the header responses that you need to look for.

6. Look for “strict-transport-security” listed in the window that pops up.

Follow ForwardPMX

You May Find These Interesting