Re: STS header for secure landing pages

Anonymous
Not applicable

STS header for secure landing pages

Hi All,

I came across STS header for secure landing pages in a treasure chest . Did anyone enabled it yet ? what is it?

Kind Regards

Gabby

1 REPLY 1
SanfordWhiteman
Level 10 - Community Moderator

Re: STS header for secure landing pages

(H)STS is the Strict-Transport-Security HTTP header, a critical part of achieving true SSL/TLS security for any site (though you can't get all the way there unless you're also on the HSTS Preload List, a step curiously left out by otherwise informed folks ).

HSTS, in a nutshell, tells browsers to remember that a site wants to be accessed securely for a certain period of time.

So if someone casually browses to the http: form of a site (this happens when you type just a hostname into your browser) or follows an link that explicitly starts with http:, and the site then says, "Nope, we're now on SSL," the browser will remember to go directly to the SSL version directly next time, again for a certain period of time.  (Ideally, that "period of time" is effectively infinite.)

The world with HSTS is far more secure than it was before, but HSTS does not solve the underlying problem of people making initially insecure connections (and those initial connections can be easily intercepted by hackers, bursting the bubble of SSL meaning "immune to eavesdropping or interception").

For one, HSTS is not shared across browsers or devices, so each new connection has to independently follow the same insecure → redirect to secure → go straight to secure next time process. For another, HSTS doesn't prevent the initial insecure connection -- for that, you need to be on the browser's built-in preload list, as noted above.

Anyway, in order to enable HSTS you need to be absolutely sure that you have SSL working, because once a browser sees the HSTS header it will assume the secure version works. If there is a problem with the SSL cert, for example, the browser will not "back out" the HSTS behavior until the header is set to expire (which could be effectively never).