Google: Implementing HSTS Without HTTPS Support Can Cause Issues

13 views

Skip to first unread message

Dhaval Thakkar

unread,

Jul 7, 2015, 6:08:10 PM7/7/15

to vg...@googlegroups.com

Everyone,

Kindly check this

https://www.seroundtable.com/google-hsts-https-20524.html

What it is and Why it is

One of the several new features in Chrome is the addition of HTTP Strict Transport Security. HSTS allows a site to request that it always be contacted over HTTPS. HSTS is supported in Google Chrome, Firefox, Safari, Opera, and IE is planning support (caniuse.com has a compatibility matrix) - but not all the version - currently IE 11 is the only version that is supported.8,9,10 is not - You can check this - http://caniuse.com/#search=hsts - Give you all the list of browser and their compatibility.

When the browser sees this, it will remember, for the given number of seconds, that the current domain should only be contacted over HTTPS. In the future, if the user types http:// or omits the scheme, HTTPS is the default. In fact, all requests for URLs in the current domain will be redirected to HTTPS. (So you have to make sure that you can serve them all!).

Chrome maintains a "Preloaded HSTS" list (and other browsers maintain lists based on the Chrome list). These domains will be configured for HSTS out of the box.

If you own a site that you would like to see included in the preloaded HSTS list you can submit it at https://hstspreload.appspot.com.

A selected subset of the members of the preloaded HSTS list:

Google

Paypal

Twitter

Simple

Linode

Stripe

HSTS addresses the following threats:

User bookmarks or manually types http://example.com and is subject to a man-in-the-middle attacker
- HSTS automatically redirects HTTP requests to HTTPS for the target domain
Web application that is intended to be purely HTTPS inadvertently contains HTTP links or serves content over HTTP
- HSTS automatically redirects HTTP requests to HTTPS for the target domain
A man-in-the-middle attacker attempts to intercept traffic from a victim user using an invalid certificate and hopes the user will accept the bad certificate
- HSTS does not allow a user to override the invalid certificate message

Implementation

Server Side

The web server side needs to inject the HSTS header.

For HTTP sites on the same domain it is not recommended to add a HSTS header but to do a permanent redirect (301 status code) to the HTTPS site.

An Apache HTTPd example that will permanently redirect a URL to the identical URL with a HTTPS scheme, is as follows:

<VirtualHost *:80>
       ServerAlias *
       RewriteEngine On
       RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [redirect=301]
</VirtualHost>

Or we can use those .htaccess RULES as well

On the HTTPS site configuration the following is needed to add the header as recommended by the standard:

       Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

Regards,

Thakkar Dhaval B.

Team Lead

Qualdev.com

9033176199

Reply all

Reply to author

Forward

0 new messages