What Is Strict Transport Security (HSTS)?
2 min readOct 17, 2024
- Read full article at: https://jenkins96.github.io/2024-10-16-HSTS/
Why Strict Transport Security Header?
- Requests HTTP are not encrypted and they are vulnerable since information is plain-text.
- Typically, the user’s first request happens over HTTP, user rarely types “https://”.
- Browsers may by default try HTTPS, but often user access the website over a link that was provided and that link may be over HTTP.
- Normally, if the server recieves an HTTP connection, it will do a redirection (301) and will tell the client to connect over HTTPS.
- Everything over HTTPS is protected, however, that very first connection that happen over HTTP is a possible attack vector for an attacker.
- HSTS work against SSL Stripping Attacks, where an attacker intercepts that very first HTTP connection from the client, makes that same request but over HTTPS to the server.
- Client makes HTTP request to the server.
- Attacker in the middle intercepts this requests.
- Attacker sends this very same request to the server but over HTTPS.
- Server replies normally to this HTTPS requests,without actually knowing that this is a on-path attack (man-in-the-middle). Let’s just assume the the server is asking for credentials.
- The attacker takes the response, decrypts it (because actual conversation over HTTPS is happening between attacker and server) and sends this response to the actual client over HTTP.
- Client receives page. As far as the client is concern, it asked for an HTTP website and it received an HTTP website.
- Client provides credentials. These credentials are sent over HTTP to the attacker.
- The attacker can either use or record those credentials.
- This is a diagram illustrating concept above (trying my best with diagrams lol):
- Read full article at: https://jenkins96.github.io/2024-10-16-HSTS/
