HSTS: force HTTPS and protect against downgrade attacks

What is HSTS?

HSTS (HTTP Strict Transport Security) is a security mechanism that tells browsers to never load a site over HTTP (HyperText Transfer Protocol, the unencrypted protocol), even if the user types a URL starting with http://. Once the header is received, the browser memorises the instruction for the duration specified by max-age and automatically enforces HTTPS (HTTP Secure, the encrypted version) on every subsequent visit.

The attack HSTS blocks: SSL Stripping

Without HSTS, here is what happens on a first visit: the user types your-site.com → their browser first sends an HTTP (unencrypted) request → the server responds with a redirect to HTTPS. This fraction-of-a-second window is enough for an SSL Stripping attack: an attacker positioned between the visitor and the server (for example on a malicious public Wi-Fi network) intercepts the HTTP connection before the redirect takes place and keeps the communication in plain text, without the visitor noticing.

This technique is also called a downgrade attack because it forces a degradation from the secure protocol back to the unencrypted one.

How to enable HSTS

On Apache, add to your SSL VirtualHost:

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

On Nginx:

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

Key parameters:

• max-age=31536000: memorisation duration in seconds (31,536,000 = 1 year recommended)
• includeSubDomains: applies HSTS to all subdomains (www, mail, api…)
• preload: enables submission to the Chrome and Firefox preload list

HSTS Preload: the maximum level of protection

The preload list is a list built directly into Chrome, Firefox, Safari and Edge browsers that lists domains that must always be visited over HTTPS — even on the very first connection, before even receiving the HSTS header. To submit your domain, visit hstspreload.org.

Warning: removal from the list is slow (months-long delay). Make sure ALL your subdomains support HTTPS before submitting with includeSubDomains.

Check your site

TheSiteFuse automatically checks for the presence and validity of the HSTS header, its max-age, the presence of includeSubDomains, and eligibility for the preload list. Run a free audit to know your site's protection level in seconds.