HSTS (HTTP Strict Transport Security) is a network security mechanism that can be used to prevent network attacks, such as man-in-the-middle attacks and CSRF (Cross-Site Request Forgery) attacks. This article will introduce in detail the working principle of HSTS, application scenarios and how to enable HSTS in the website.
How HSTS works
The principle of HSTS is that when a browser requests a website server resource, the server will return a response content containing the "Strict-Transport-Security" HTTP response header, which is used to tell the browser that HTTPS must be used in the next visit instead of HTTP. Web server communication. The browser caches this information locally for a period of time, usually six months.
After enabling HSTS, when sending an HTTP request, the browser will automatically check whether HSTS has been set, and if it has been set, it will upgrade HTTP to HTTPS request (if the HTTPS certificate of the server is invalid, such as certificate expired, using a self-signed certificate etc., the browser terminates the connection).
The schematic diagram is as follows:
What HSTS does is force the browser to use HTTPS to access the server. Only when the client sends a request through HTTPS, the Strict-Transport-Security field in the received server's response header will take effect. The HSTS set in the response header for non-HTTPS access will not take effect.
The security role of HSTS
- To improve the security of the website, by setting HSTS to force the browser to use the HTTPS protocol, it can effectively prevent attacks such as man-in-the-middle attacks and Cross-Site Request Forgery.
- Protect the security of data transmission, because the use of HTTPS protocol can prevent data from being hijacked by attackers during transmission.
How to configure HSTS?
- Configure the HTTPS protocol and certificate for the WEB server. It is best to use an authoritative CA certificate. The specific configuration method will not be explained in detail. You can search for the HTTPS configuration method corresponding to the WEB server you use (emphasis points, try to use TLS1.2 and above).
- Correctly set the HTTP Strict-Transport-Security response header on the WEB server, set the HTTP Strict-Transport-Security header in the HTTP response header of the website, you can tell the browser to redirect the website to the HTTPS protocol, and you can search for your own The method of setting the Response Header corresponding to the WEB server. Examples and descriptions are as follows:
Strict-Transport-Security: max-age=31536000The above Header means that the browser caches this HSTS information for one year (31536000 seconds). The optional includeSubDomains directive can also be set to apply the HSTS configuration to all subdomains. For example:
Strict-Transport-Security: max-age=31536000; includeSubDomainsShortcomings of HSTS
- When a user visits a website for the first time, it is not protected by the HSTS policy, because the browser has not received the HSTS configuration when the user visits for the first time.
- Since HSTS will expire after a certain period of time (the validity period specified by max-age), whether the browser uses the HSTS policy depends on the current system time. An attacker can modify the time of the operating system in some ways, thereby invalidating the HSTS policy.
summary
HSTS is a very useful network security mechanism that can be used to improve the security and reliability of websites, and effectively prevent attacks such as man-in-the-middle attacks and Cross-Site Request Forgery. It is recommended that all websites enable the HSTS function. At the same time, it is also necessary to regularly check and update the security settings of the website to ensure security and reliability.