Share via QR Code
Sharing QR Code
Dark Mode:
Auto
Light
Dark

What is HSTS? Why is it Important for Websites?

Language/语言:   English   简体中文

By: Ken Deng   Published on Aug. 22, 2021

Approx. 2300 words, 10 mins

  Table of Contents

Hello there! My name is Ken and I am a Chinese senior high top student in Guangdong Country Garden School. Welcome to Ken's Study Journey website with Computer Science knowledge explanations!

Recently, HSTS has been implemented on my website to enhance security. Although HTTPS plays an important role, hackers can attack while redirecting from HTTP.

We have already learned HTTPS, SSL and TLS in IGCSE (0478) and A Level Computer Science (9618, 9608), but HSTS is beyond these syllabuses and it is an extension knowledge.

Websites like Baidu, Google, YouTube, University of Cambridge, and University of Oxford have already implemented HSTS so people can browse the Internet securely.

This is my first knowledge explanation on my new website. From now on, I will post some knowledge explanations of Mathematics (CAIE Syllabus Codes: 0580, 0606, 9709, 9231), Physics (0625, 9702), Chemistry (0620, 9701) and Computer Science (0478, 9618, 9608) that are explicit and easy to understand on my website, along with my excellent study tips.

Do you know how and why can HSTS further enhance visitor's security on a website? Let's dive in!

What is HSTS?

HSTS stands for HTTP Strict Transport Security. It is an extra layer that further ensures visitor's security.

Nowadays, an increasing number of websites, including my website, have started using HTTPS security protocol, especially banking and online booking/shopping websites. Hackers cannot read or modify encrypted data. HTTPS uses security certificates with encryption algorithms and keys.

Related Knowledge

Now, I am going to talk about an IGCSE Computer Science (0478) knowledge: SSL and TLS.

SSL is shorted by Secure Socket Layer, which is a secure protocol that secures the data transmission on the Internet. TLS is shorted by Transport Layer Security, which is a more recent secure protocol and it is safer and more efficient than SSL.

They have several steps to establish a secure connection with SSL and TLS after receiving the IP address from DNS servers:

  1. The browser sends a request to the server to identify itself, selecting the suitable SSL/TLS versions and encryption algorithms.
  2. The server sends a copy of its SSL certificate back to the browser, along with its public key.
  3. The browser verifies the certificate received with Certificate Authority (CA).
  4. If the certificate is valid, a message is sent back to the server and a session is created with a secret key. Otherwise, the browser interrupts the connection.
  5. The server begins encrypted data transmission.

TLS has 2 layers: Record Protocol and Handshake Protocol. The Handshake Protocol is used to establish secure connections. The Record Protocol can be used with or without encryptions.

Normal users do not know computer terms such as HTTP, HTTPS and SSL, so they usually type web addresses without typing "https://". Sometimes, hackers can intercept data while redirecting to HTTPS from HTTP which is very dangerous, but HSTS can force browsers to visit HTTPS site and redirect internally (inside the browser without requesting the server) if you do not add "https://" on the address bar. The browser will redirect to HTTPS website later on after the first visit.

It also can prevent browsers from accessing the website with no exceptions if a hacker intercepts the HSTS transmission, like this:

HSTS Failed in Chrome when Visiting my Website

The Image Says:

Attackers might be trying to steal your information from www.kenstudyjourney.com (for example, passwords, messages, or credit cards). Learn more

www.kenstudyjourney.com normally uses encryption to protect our information When Google Chrome tried to connect to www.kenstudyjourney.com this time, the website sent back unusual and incorrect credentials. This may happen when an attacker is trying to pretend to be www.kenstudyjourney.com, or a Wi-Fi sign-in screen has interrupted the connection. Your information is still secure because Google Chrome stopped the connection before any data was exchanged.

You cannot visit www.kenstudyjourney.com right now because the website uses HSTS. Network errors and attacks are usually temporary, so this page will probably work later.

The Conflict between HSTS and WiFi Login Page

Please note that this is normal if you are using a public WiFi. The WiFi router is trying to redirect you to the WiFi login page. The WiFi router can redirect you to its login page because it can change the data in the insecure HTTP transmission, so HTTPS websites cannot be accessed before logging to the WiFi.

Due to the development of HTTPS and HSTS, it is difficult to find a website that allows HTTP connection without HSTS.

Apple, Microsoft and I provided a test page to see whether a WiFi contains a login page, which can be directly accessed by HTTP. You can visit http://captive.apple.com, http://www.msftncsi.com or http://test.kenstudyjourney.com in your browser. They normally display a word Success, but it redirects to login pages in public WiFis.

Did you know?

New iPhone, iPad and MacBook usually visit captive.apple.com automatically to test after connecting to a WiFi. So, it can pop up a login page automatically.

Caution

If you are seeing the image above when visiting my website, apart from public networks with a login page, don't be panic and you should stop visiting my website first. The only thing you can do is to change WiFi networks or use cellular data (3G, 4G or 5G) on your phone.

Tip

Programmers on some websites may forget to add HTTPS redirection on their websites, although they have enabled HTTPS with SSL certificates. It means that the browser will not use HTTPS secure protocol if you do not add "https://" prefix in the address bar.

By the way, I recommend you to try to add "https://" prefix before the web address when you visit a website. You can remove it or change back to "http://" only when you see an HTTPS error page (i.e. no HTTPS enabled and no SSL certificates provided).

For example, you can type https://www.google.com when you access Google website.

The HSTS Response Header

When you access a website with HSTS, the server will send this header, which will be stored on your browser like Cookies. It means that this website must be accessed with HTTPS within the next 180 days (15552000 seconds) in this browser.

Strict-Transport-Security: max-age=15552000

The time of HSTS can be set and changed by website administrators or programmers. It is recommended to set this for over 180 days (half a year).

HSTS can be auto-renewed. The header is always sent whenever you access my website. If you access my website on the second day, the expiration date will be changed to the next 180 days.

In 2020, when I used WordPress on my previous website, I didn't decide to enable HSTS because I was afraid that people cannot use my website if someone intercepts the network or the SSL certificate contains an error.

HSTS Preload

Some websites, like Cloudflare, have enabled a special feature that further enhances HSTS security. This is called: HSTS Preload.

As we know, it is insecure to visit a website without "https://" prefix for the first time. Before visiting a website, there is no HSTS header in your browser, so it may be dangerous when redirecting to HTTPS from HTTP.

However, HSTS Preload solved this problem. Every new browser has its preload list. Even if you hadn't visit a website, it must use HTTPS at all.

Look at this header, it is a little bit different from the header I mentioned above.

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

The website must satisfy with the following requirements if you want to add your website into the preload list of major browsers:

  1. The website must have a valid SSL certificate.
  2. The period must be at least one year (365 days, 31536000 seconds).
  3. The HSTS header must include subdomains. For example, planner.kenstudyjourney.com is a subdomain of kenstudyjourney.com
  4. HTTPS, redirections and HSTS must be enabled on all subdomains.
  5. The header must include an option "preload", which tells browsers that this website wants to add to the preload list.

If a website keeps satisfy these requirements for a few months, the domain will be added to the preload lists automatically.

Internal Redirection to HTTPS

Now, let's talk about how does internal redirection on browsers work if a website has enabled HSTS.

Internal redirection can prevent hackers on public WiFi from redirecting you to a fake website while redirecting to HTTPS.

When we firstly access my website using insecure HTTP at home (http://www.kenstudyjourney.com), the browser will receive these headers.

HTTP/1.1 301 Moved Permanently Location: https://www.kenstudyjourney.com
Did you know?

There are several types of HTTP status codes. They indicate the status of a server and it is handled by browsers. These are the common status codes:

  • 200 OK (This is sent when the webpage is working normally.)
  • 301 Moved Permanently (This is sent when the server redirects to another URL.)
  • 400 Bad Request (This is sent when the request does not satisfy with website's requirements.)
  • 403 Forbidden (This is sent when the server has blocked access. For example, this is common when website blocks IP addresses, countries/regions.)
  • 404 Not Found (Most common. This is sent when a resource cannot be found on the server.)
  • 429 Too Many Requests (This is sent when there are too many requests within a period of time. It may be exceeded the quota set by administrators.)
  • 500 Internal Server Error (This is sent when an error is occured at the code of the back end (server side).)
  • 503 Service Unavailable (This is sent when the server is overloaded or when the website is under maintenance.)

You can see that it is then redirected to the HTTPS version of my website.

When the browser accesses my HTTPS website, it will receive the following headers and the website content.

HTTP/1.1 200 OK Strict-Transport-Security: max-age=15552000

After the browser receives the HSTS header, it will store into the browser cache.

Now, when you go to a public WiFi and access my HTTP website again, the response header is a little bit different.

HTTP/1.1 307 Internal Redirect Location: https://www.kenstudyjourney.com

So, why is this? This is because the browser has stored the HSTS policy. This only costs about 2ms and the request is not sent to my server while redirecting. I will talk about revealing the response headers in the next section - if you are interested in.

That's why HSTS is crucial for websites. It can redirect websites to HTTPS without transmitting data with servers.

Revealing Response Headers

In most browsers with development tools, like Chrome, Firefox and Microsoft Edge (except for Safari), you can see the codes, request headers and response headers of a website. These kinds of information can be used for programmers to debug websites.

Now, I will teach you how to see the response headers, including redirections and HSTS policy, on your browsers.

Firstly, open your browser and press F12 or option+command+I key on the keyboard to open developer tools before accessing a website, and click “Network”.

See Response Header Step 1: Press F12 and Click Network

Then, you can enter any websites you want to test on the address bar.

See Response Header Step 2: Type the Web Address

When the files list appears, move to the top and click the first one (or the one directly related to the website). You can see Internal Redirect with a 307 status code or Redirection with a 301 status code was received (redirection can be 301 or 302). Below the status code, the location indicates which URL should the browser redirect to.

See Response Header Step 3: Headers on HTTP Site

Click on the second one, it will show the 200 OK status code and the HSTS header with a duration (max-age).

See Response Header Step 4: Headers on HTTPS Site

If you can see "Strict-Transport-Security", the website has enabled HSTS. The max-age indicates the validity in seconds.

Checking for HSTS in Safari

If you are using Safari, there is another method to see whether a website has enabled HSTS.

First, you need to access the website you want to check so that the browser can receive and store HSTS headers.

Then, open preferences by pressing command and comma keys on your keyboard. Click Privacy and Manage Website Data. Search the website's domain name. If it has enabled HSTS, you will see that it displays "HSTS Policy".

HSTS of Baidu in Safari HSTS of my website in Safari

Checking for HTTPS Security Grade

In fact, there is a tool that checks how is a website secure. It is called: SSL Labs, which is provided by Qualys.

It check whether the website has valid certificates, correct and secure protocols (TLS and SSL), and HSTS policies.

Its grades are very similar to the grades in CAIE (A+ (A*), A, B, C, D, E, F, T (U)).

In fact, my website got an A+ grade because I used secure protocols and enabled HSTS (I call it A* because I am studying Cambridge IGCSE and International AS and A Level). This indicates that students can study on my website safely without interception by hackers.

My Website Got an A+ Grade on SSL Labs

If you want to get an A+ grade on your website, it needs to satisfy with the following requirements:

  1. Has a valid SSL certificate (can be the free Let's Encrypt);
  2. The certificate needs to have strong encryption (at least 1024 bits on Key Exchange);
  3. Disabled all SSL and old versions of TLS (SSL2.0, SSL3.0, TLS1.0 and TLS1.1). Using old versions of SSL may be vulnerable to PODDLE attack. It is similar to disabling old 2G and 3G networks.;
  4. Enabled HSTS for at least 180 days (you do not need to enable preload);
  5. Use modern cipher suites (at least 256 bits);

Conclusion

HSTS is a record that can be stored on browsers, which can prevent hacker's interception when redirecting to HTTPS from HTTP. So, it can enhance website's security.

Alright! This is the end of the knowledge explanation of HSTS. Thanks for reading and I hope you can understand the security measure on websites.

Subscribe to my email newsletter to receive my latest articles, latest news, latest study tips and tutorials, some useful knowledge in real life, and more!

If you like this explanation, please click the thumb up button below and share this article. Also, you can write down your comment below if you have any ideas. This is the first time I write knowledge explanations. If it has any errors, you can contact me to correct them.

Still have questions or cannot understand my knowledge explanations? Don't be hesitant to contact me and I am here to help you. I speak English and Chinese.

Is this Article Helpful?

0

Share this Article

Comments

Privacy Notice: You will receive an email when your comment is replied. I will never disclose your email address. By sending a comment, you agree with my Privacy Policy.

From Sep. 1, 2020, your comments need to be audited by me artificially before displaying on my website in order to prevent spam comments. Please wait patiently and thanks for your cooperation.

I only speak English and Chinese. Comments in all other languages will be rejected. Markdown and HTML codes are not allowed for safety reasons.

林林
还是有一些浏览器没有支持HSTS安全协议,我们需要向浏览器开发者提交建议,比如Via。
我也写了一篇类似的文章。
https://www.linlinzzo.top/hsts是什么?它有什么用?/
Ken Deng
谢谢你的分享,为同学们补充了更丰富的知识!
你的网站也得了A+安全等级,它也有我喜欢的计算机、WordPress等相关内容(我现在已停止使用WordPress,有很多bug,难管理和维护),我收藏了你的网站。
但由于我是一名学霸,并且我喜欢计算机和化学,我的知识解析是偏向于学生看的,可能会详细一些(包括服务器响应的Header以及它们的意思),并且是以英文为主的(我在学习A Level国际课程)。
虽然我们在使用Chrome、Firefox、Edge、Safari等主流浏览器,但我也觉得要给一些不支持HSTS浏览器的开发者提交建议,告诉它们什么是HSTS,HSTS的重要性,以及在公共WiFi中没有HSTS的后果(你文章提到的)。当然,如果一些浏览器已停止支持和更新,就没有办法了。