What Is HSTS and How Does It Protect HTTPS From Hackers?

How Does Enabling HSTS Stop SSL Stripping?

Enabling HSTS forces the browser to load the secure version of a website, and ignores any redirect and any other call to open an HTTP connection. This closes the redirection vulnerability that exists with a 301 and 302 redirect.

There is a negative side even to HSTS, and that is that a user’s browser has to see the HSTS header at least once before it can take advantage of it for future visits. This means that they will have to go through the HTTP > HTTPS process at least once, leaving them vulnerable the first time they visit an HSTS-enabled website.

To combat this, Chrome preloads a list of websites that have HSTS enabled. Users can submit HSTS-enabled websites to the preload list themselves if they fit the required (simple) criteria. computer science computer science computer science computer science computer science computer science

computer science computer science computer science computer science computer science computer science

Websites added to this list will be hardcoded into future versions of Chrome updates. It makes sure that everyone who visits your HSTS enabled websites in updated versions of Chrome will stay secure.

Firefox, Opera, Safari and Internet Explorer have their own HSTS preload list, but they are based on the Chrome list on hstspreload.org.

How to Enable HSTS on Your Website

To enable HSTS on your website you first need to have a valid SSL certificate. If you enable HSTS without one, your site will be unavailable to any visitor, so make sure your website and any subdomains are working over HTTPS before continuing. computer science computer science computer science computer science computer science computer science

Enabling HSTS is pretty easy. You simply need to add a header to the .htaccess file on your site. The header you need to add is: computer science computer science computer science computer science computer science computer science

Strict-Transport-Security: max-age=31536000; includeSubDomains

This adds a one year max age access cookie (what is a cookie?), which includes your website, and any subdomains. Once a browser has accessed the website, it’ll be unable to access the unsecured HTTP version of the website for a year. Make sure that all of the subdomains on this domain are included in the SSL certificate, and have HTTPS enabled. If you forget this, the subdomains won’t be accessible after you save the .htaccess file.

Prev2 of 4Next

Leave a Reply

Your email address will not be published. Required fields are marked *