Rob's web

HTTP Strict Transport Security

HTTP Strict Transport Security (HSTS) is a policy mechanism that helps to protect websites against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers (or other complying user agents) should automatically interact with it using only HTTPS connections, which provide Transport Layer Security (TLS/SSL), unlike the insecure HTTP used alone. HSTS is an IETF standards track protocol and is specified in RFC 6797.

The HSTS Policy is communicated by the server to the user agent via an HTTP response header field named Strict-Transport-Security. HSTS Policy specifies a period of time during which the user agent should only access the server in a secure fashion. ¶5.2 Websites using HSTS often do not accept clear text HTTP, either by rejecting connections over HTTP or systematically redirecting users to HTTPS (though this is not required by the specification). The consequence of this is that a user-agent not capable of doing TLS will not be able to connect to the site.

Prerequisites

1. The server use valid certificates and up-to-date ciphers.

2. HTTP must be redirect with a 301 or 302 code to a HTTPS version.

We do this in te vhost config file.

<VirtualHost *:80>
	ServerName www.example.com
	Redirect 301 / https://www.example.com/
</VirtualHost>

<VirtualHost *:443>
  ServerName www.example.com
.....

3. Serve all subdomains over HTTPS.

Make sure that points 1 and 2 above apply to all your domains and subdomains (according to your DNS records).

4. Serve the Strict-Transport-Security header over HTTPS for the base domain with max-age of at least 31536000 (1 year), the includeSubDomains directive.

Directives

max-age=<expire-time> The time, in seconds, that the browser should remember that a site is only to be accessed using HTTPS.
includeSubDomainsOptionalIf this optional parameter is specified, this rule applies to all of the site's subdomains as well.
preloadOptional Non-standardSee Preloading Strict Transport Security for details. When using preload, the max-age directive must be at least 31536000 (1 year), and the includeSubDomains directive must be present. Not part of the specification.

Setting the policy

Global

This is the preferred option.

# cd /etc/httpd/conf/
# vi vhssl.conf
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
# httpd -t
# systemctl restart httpd

Preloading

HSTS preloading not in: Chrome, Edge, Firefox, IE.

How to add a domain to the HSTS preload list?

Points 1 to 4 must be meet.

If you want to use the preload option change the header to:

Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"

Go to hstspreload.org and submit the your domain.

Links