HTTP headers | Strict-Transport-Security

HTTP Strict Transport Security (HSTS) is a web security policy mechanism that helps protect websites from malicious activities and informs user agents and web browsers how to handle its connection through a response header. Whenever a website connects through HTTP and then redirects to HTTPS, an opportunity for a man-in-the-middle attack is created and the redirect can lead the users to a malicious website because users first have to communicate with the non-encrypted version of the website. A server implements the HSTS policy by supplying a header over an HTTPS connection which informs the browser to load a site using HTTPS rather than HTTP.

Syntax:

Strict-Transport-Security: max-age=<expire-time>
Strict-Transport-Security: max-age=<expire-time>; includeSubDomains
Strict-Transport-Security: max-age=<expire-time>; preload

Directives:



  • <expire-time>: This mentions the time in seconds for which the user agent or browser should only access the server in a secure fashion by using HTTP.
  • includeSubDomains: This directs the browser to apply the rule to all pages and sub-domains of the site as well.
  • preload: This is necessary for inclusion in most major web browsers’ HSTS preload lists.

Explanation: If a user type in an address bar http://www.geeksforgeeks.com/ or geeksforgeeks.com this will create a chance for a man-in-the-middle attack. The redirect could be exploited to direct visitors to a malicious site instead of the secure version of the original site.

Examples:

Strict-Transport-Security: max-age=3600; includeSubDomains

All pages and subdomains will be HTTPS for a max-age of 1 hour. This blocks access to pages or sub domains that cannot be served over HTTPS.

Strict-Transport-Security: max-age=7200; includeSubDomains; preload

All present and future sub-domains will be HTTPS for a max-age of 2 hour. It also has preload as the suffix which is necessary in most major web browsers’ HSTS pre-load lists.

To check this Strict-Transport-Security in action go to Inspect Element -> Network check the response header for Strict-Transport-Security like below, Strict-Transport-Security is highlighted you can see.

Supported Browsers: The following browsers are compatible with HTTP Strict-Transport-Security.

  • Google Chrome 4.0
  • Internet Explorer 11.0
  • Firefox 4.0
  • Safari 7.0
  • Opera 12.0


My Personal Notes arrow_drop_up

Check out this Author's contributed articles.

If you like GeeksforGeeks and would like to contribute, you can also write an article using contribute.geeksforgeeks.org or mail your article to contribute@geeksforgeeks.org. See your article appearing on the GeeksforGeeks main page and help other Geeks.

Please Improve this article if you find anything incorrect by clicking on the "Improve Article" button below.




Article Tags :

Be the First to upvote.


Please write to us at contribute@geeksforgeeks.org to report any issue with the above content.