HSTS - Strict Transport Security

Post new topic   Reply to topic    Aprelium Forum Index -> SSL/Certificates
View previous topic :: View next topic  
Author Message
James Cook

Joined: 13 Oct 2018
Posts: 13
Location: Michigan USA

PostPosted: Wed Feb 27, 2019 6:54 pm    Post subject: HSTS - Strict Transport Security Reply with quote

We recently had a security check of our site and it performed very well but one flaw was noted; Strict Transport Security Not Enforced.

We do have the site secured with SSL, but apparently the addition of the HSTS needs to be done in the Abyss config. Where and how would we add:
Strict-Transport-Security: max-age=31536000; includeSubDomains
Back to top View user's profile Send private message

Joined: 29 May 2006
Posts: 951
Location: Michigan, USA

PostPosted: Fri Mar 01, 2019 2:55 pm    Post subject: Reply with quote

Hi Jim. I was just reading up on HSTS at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security.

For information's sake, I will include the following from this article:

Note: The Strict-Transport-Security header is ignored by the browser when your site is accessed using HTTP; this is because an attacker may intercept HTTP connections and inject the header or remove it. When your site is accessed over HTTPS with no certificate errors, the browser knows your site is HTTPS capable and will honor the Strict-Transport-Security header.

The first time your site is accessed using HTTPS and it returns the Strict-Transport-Security header, the browser records this information, so that future attempts to load the site using HTTP will automatically use HTTPS instead.

When the expiration time specified by the Strict-Transport-Security header elapses, the next attempt to load the site via HTTP will proceed as normal instead of automatically using HTTPS.

To enable this in Abyss, you want to force any HTTP connections to redirect to HTTPS. (Note: Obviously, the protocol for the host must be HTTP+HTTPS.)

To make that happen, go to your host --> General --> Advanced Parameters --> Exclusively Serve On HTTPS --> Add.

Virtual Path: /*

To enable the HSTS header, go to your host --> General --> Advanced Parameters --> Custom HTTP Headers --> Add.

Try adding the following:
Virtual Path: /*
HTTP Header Name: Strict-Transport-Security
HTTP Header Value: max-age=31536000; includeSubDomains

This should put the header on every webpage/resource your host transfers out. It will be ignored by the user's browser on HTTP connections, so that is why you want to do the HTTP --> HTTPS redirect.

Be careful with HSTS. If your certificate expires or the browser detects issues with your certificate, your website will potentially be entirely inaccessible. (This can even happen if the user's clock is outside of your cert's valid from and to dates.)
Need a LitlURL?

Back to top View user's profile Send private message Visit poster's website
Site Admin

Joined: 03 Mar 2002
Posts: 1286

PostPosted: Fri Mar 01, 2019 6:18 pm    Post subject: Reply with quote

Thanks pkSML for your detailed reply.

Some general guidelines about HSTS that may help considering using it or not:

HSTS will ensure that browsers will always connect to your site using HTTPS instead of HTTP.

HTTP remains required for the first request to your site, to inform the browser about its HSTS policy and to redirect to HTTPS. So your host should be in HTTP+HTTPS mode.

But HSTS should be used with care. Any future issue in your certificate validity may render your site not accessible for clients who have already taken note of your HSTS policy. Going back to HTTP is no more possible if HSTS is badly configured (with large max-age values.)

To learn more about HSTS in general, we recommend the article https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security .

To set HSTS, you'll need to add a custom header named Strict-Transport-Security to a HTTP+HTTPS host. The value of that header should be set according to the above article and to your use case. The scope of the header should be / (all the Web site.)

So should you implement HSTS or not? It depends on your Web site use and the kind of security you want to apply to it. If you're dealing with sensitive data from users (such as credit card numbers in forms), it is recommended to use HSTS.
Follow @abyssws on Twitter
Subscribe to our newsletter
Forum Administrator
Aprelium - https://aprelium.com
Back to top View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Aprelium Forum Index -> SSL/Certificates All times are GMT + 1 Hour
Page 1 of 1

Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Powered by phpBB phpBB Group