http-header : strict-transport-security

http-header : strict-transport-security

It is a HTTP response header which is often termed as “HSTS”. This header allows a website by informing browsers that it should only be accessed using HTTPS rather than by using HTTP. This header is like an opt-in enhancement based on security which is specified by any web application by the use of a special and specific response header. When a supported browser gets this header, that very browser would prevent any sort of communications to be sent over HTTP and over to the specified domain, and would rather send all the communications over HTTPS only. It also helps prevent HTTPS click by use prompts on browsers.

Threats addressed by HSTS:

  • When a user bookmarks something or just manually types in “”, then he/she is subjected to an attack known as “man-in-the-middle”. Hence, what HSTS does is that it automatically redirects the requests from HTTP to HTTPS for that particular target domain.
  • When a web application which is actually intended to be of pure HTTPS inadvertently holds HTTP links or is said to serve content over HTTP, then here too HSTS by default transfers the requests from HTTP to HTTPS for that very target domain.
  • When an attacker carrying out “man-in-the-middle” attack tries intercepting traffic from a particular victim user by making use of an invalid certificate and thereby hopes that the user would accept that bad certificate, HSTS in such case doesn’t allow that user by any means to override the message regarding invalid certificate.

Any specific domain instructs the browsers about its enablement of HSTS by sending back or returning a HTTP header over a secure HTTPS connection. This header is found to be supported by all major latest versions of browsers such as, IE, Opera, Chrome, Safari and Firefox. Even before the implementation of this header, we must make sure that all our website pages are accessible over the secure HTTPS connection or else they would be blocked.

Benefits of HSTS:

  • HSTS helps by providing protection in relation to “protocol downgrade attacks” as well as “cookie hijacking”.
  • It also protects the users of any web application against few of the passive (eavesdropping) along with some active network attacks.
  • It also helps by automatically upgrading the fetches to the secure HTTPS in specific situations where a domain is said to have mixed content.
  • HSTS generally provides a much better security. That is, a HSTS-compliant browser removes or aborts connection to a HSTS-compliant server if security of a certificate cannot be successfully confirmed. Besides that users cannot click through the self-signed certificates.

Enablement in Apache:

HSTS can be implemented in Apache by adding the below mentioned syntax in “httpd.conf” file.

Header set Strict-Transport-Security “max-age=31536000; includeSubDomains; preload”

Apache then needs to be restarted in order to view the results.

Enablement in Nginx:

For configuration of HSTS to Nginx, the below mentioned syntax is added in “nginx.conf” which is under the server (ssl) directive.

add_header Strict-Transport-Security ‘max-age=31536000; includeSubDomains; preload’;

Then Nginx needs to be restarted so as to verify.

Enablement in Microsoft IIS:

First, the IIS Manager is launched and then the header is added by going to “HTTP Response Headers” for the respective site where header name along with its value is added. Lastly, the site is restarted.

For Microsoft systems that run IIS there is no presence of “.htaccess” file in order to implement the custom headers. So, the IIS applications make use of a central “web.config” file for configurational changes. So, for IIS 7.0 and above, we use the below mentioned configuration of the “web.config” file.

<?xml version=”1.0″ encoding=”UTF-8″?>





<rule name=”HTTP to HTTPS redirect” stopProcessing=”true”>

<match url=”(.*)” />


<add input=”{HTTPS}” pattern=”off” ignoreCase=”true” />


<action type=”Redirect” url=”https://{HTTP_HOST}/{R:1}”

redirectType=”Permanent” />




<rule name=”Add Strict-Transport-Security when HTTPS” enabled=”true”>

<match serverVariable=”RESPONSE_Strict_Transport_Security”

pattern=”.*” />


<add input=”{HTTPS}” pattern=”on” ignoreCase=”true” />


<action type=”Rewrite” value=”max-age=31536000; includeSubDomains; preload” />







Copyrights ©2008: Valency Networks Pvt Ltd.