HSTS (HTTP Strict Transport Security, RFC6797) is not a new toy anymore after mainstream browsers and web engines start supporting it. Even though it seems not so welcomed by the websites, however, it is growing up slowly.

Why we need HSTS in addition of HTTP over SSL/TLS

The security policy is developed by three guys from Paypal, CMU, and Google. It is not only intended to force your site to HTTPs but also to remember (store) it in the browser. The storage age can be so long that during which the attacker will not able to hijack the site and change the content of your website to the same user agent (UA).
HSTS adds time domain to the HTTP secure connection. It forces user agents to connect the web server by HTTPs in a specific time interval.

How does it work

HSTS-conformant UA

HSTS-conformant UAs are able to prase and store the content in the HTS header. The content could be the max-age or includeSubDomains.

  • max-age specifies the number of seconds, after the reception of the STS header field, during which the UA regards the host (from whom the message was received) as a Known HSTS Host
  • includeSubDomains signals the UA that the HSTS Policy applies to this HSTS Host as well as any subdomains of the host's domain name.

The HSTS-conformant UA is responsible for clearing all the expired HSTS Policies.

HSTS non-conformant UA


So what would happen if your UA is not conformant with HSTS? Everything still works perfectly. Your non-secure-HTTP request will still be redirected to the corresponding HTTPs link and the HSTS header will still be returned after that. However, your UA will do nothing on that but simply ignore the header.

It is indeed an aggressive policy

Think twice when you want to enable this feature on your web server and be careful when you define the max-age value. Once you enabled the feature, all the UAs visited your website will only use HTTPs to visit your site again during the time period you defined. If during the period you can not provide HTTPs connection anymore, your old friends will not have access your web page until the policy expires.
includeSubDomains is also a dangerous field to fill. Make sure all your subdomains' web engines are able to provide HTTPs connection before you add this on the header. Once the field is filled, the browsers are forced visiting your main domain as well as all your subdomains in HTTPs. If one of your subdomains points to a web server that does not support HTTPs, your web page under the subdomain may not work properly.
The reason why I use "may" above is if the UA visiting your subdomain web page with HTTP directly without record visiting your main domain page, your web still works. Because there is no STS policy set before.

What if I want to cancel the policy after I enabled it.

All the HSTS conformant UAs will remove the policy if they see an STS header with max-age echoes to 0:

Strict-Transport-Security:max-age=0; includeSubDomains

After you feel uncomfortable with HSTS policy or it already brings you disaster to your web services, you can use this method to minify your loss.

This artical is created by Jialin with Attribution-NonCommercial-ShareAlike 4.0 International (CC BY-NC-SA 4.0) license.