Enable HSTS to force the browser to redirect to HTTPS access

Enable HSTS to force the browser to redirect to HTTPS access

After the entire website is HTTPS, if the user manually enters the website's HTTP address, or clicks on the website's HTTP link from elsewhere, the HTTPS service is usually available only by relying on the server's 301/302 redirect. The first HTTP request may be hijacked, causing the request to fail to reach the server, thus constituting HTTPS downgrade hijacking. This problem can currently be solved by HSTS (HTTP Strict Transport Security, RFC6797).

Introduction to HSTS

HSTS (HTTP Strict Transport Security) is an Internet security policy mechanism released by the International Internet Engineering Organization (IETF). Websites that adopt the HSTS policy will ensure that the browser is always connected to the HTTPS encrypted version of the website, without the need for users to manually enter the encrypted address in the URL address bar, in order to reduce the risk of session hijacking.

[[193256]]

HSTS response header format

  1. Strict-Transport-Security: max -age=expireTime [; includeSubDomains] [; preload]
  • max-age, in seconds, tells the browser that within a specified time, this website must be accessed via the HTTPS protocol. That is, for the HTTP address of this website, the browser needs to replace it with HTTPS locally before sending the request.
  • includeSubDomains, an optional parameter. If this parameter is specified, it indicates that all subdomains of this website must also be accessed through the HTTPS protocol.
  • preload, optional parameter, a browser built-in list of domain names using HTTPS.

HSTS Preload List

Although HSTS can effectively solve HTTPS downgrade attacks, the first HTTP request before HSTS takes effect cannot be prevented from being hijacked. In order to solve this problem, browser manufacturers have proposed the HSTS Preload List solution: a built-in list that can be updated regularly, and for domain names in the list, the HTTPS protocol will be used even if the user has not visited them before.

Currently, this Preload List is maintained by Google Chrome and is used by Chrome, Firefox, Safari, IE 11, and Microsoft Edge. If you want to add your domain name to this list, you must first meet the following conditions:

Have a valid certificate (if using a SHA-1 certificate, the expiration date must be earlier than 2016);

  • Redirect all HTTP traffic to HTTPS;
  • Make sure HTTPS is enabled on all subdomains;
  • Output HSTS response header:
  • max-age cannot be less than 18 weeks (10886400 seconds);
  • The includeSubdomains parameter must be specified;
  • The preload parameter must be specified;

Even if all the above conditions are met, you may not be included in the HSTS Preload List. For more information, please visit: https://hstspreload.org/.

Through Chrome's chrome://net-internals/#hsts tool, you can check whether a website is in the Preload List, and you can also manually add a domain name to the local Preload List.

HSTS Disadvantages

HSTS is not a perfect solution for HTTP session hijacking. The first time a user visits a website, it is not protected by HSTS. This is because the browser has not received HSTS yet, so it is still possible to access it via plaintext HTTP.

If a user accesses a website protected by HSTS via HTTP, downgrade hijacking may occur in the following situations:

  • Never visited this site before
  • Recently reinstalled their operating system
  • Recently reinstalled their browser
  • Switch to a new browser
  • Switch to a new device, such as a mobile phone
  • Delete your browser's cache
  • The site has not been visited recently and the max-age has expired

There are currently two solutions to this problem:

  • Solution 1: Preset the HSTS domain name list in the browser, which is the HSTS Preload List solution mentioned above. This domain name list is distributed and hard-coded into mainstream web browsers. Clients accessing domain names in this list will actively use HTTPS and refuse to use HTTP to access the site.
  • Solution 2: Add HSTS information to the domain name system record. However, this requires ensuring the security of DNS, which means deploying the Domain Name System Security Extension.

Other possible problems

Since HSTS will expire after a certain period of time (the validity period is specified by max-age), whether the browser enforces the HSTS policy depends on the current system time. Most operating systems frequently update the system time through the Network Time Protocol. For example, every time Ubuntu connects to the network, OS X Lion will automatically connect to the time server every 9 minutes. An attacker can bypass HSTS by forging NTP information and setting the wrong time.

The solution is to authenticate NTP information or prohibit NTP from significantly increasing or decreasing the time. For example, Windows 8 updates the time every 7 days and requires that the time set by NTP each time should not exceed 15 hours from the current time.

HSTS-supported browsers

Currently, mainstream browsers already support HSTS features. For details, please refer to the following list:

  • Google Chrome 4 and above
  • Firefox 4 and above
  • Opera 12 and above
  • Safari since OS X Mavericks
  • Internet Explorer and above

HSTS deployment

The way for the server to enable HSTS is: when the client makes a request via HTTPS, the server returns the Hypertext Transfer Protocol response header with the Strict-Transport-Security field. The HSTS field set during non-encrypted transmission is invalid.

The best deployment solution is to deploy it at the location closest to the user. For example, if the architecture has a front-end reverse proxy and a back-end web server, it is best to configure HSTS at the front-end proxy. Otherwise, you need to configure HSTS at the web server layer. If the web server does not explicitly support HSTS, you can add a response header mechanism. If all other methods fail, you can add HSTS at the application layer.

HSTS is easy to enable. Just add the following information to the corresponding header:

  1. Strict-Transport-Security: max -age=63072000; includeSubdomains;preload;

Strict-Transport-Security is the name of the header field. max-age represents the effective time of HSTS on the client. includeSubdomains means it is effective for all subdomains. preload uses the domain name list built into the browser.

HSTS policy can only be set in HTTPS response, and the website must use the default port 443; the domain name must be used, not the IP. Therefore, HTTP needs to be redirected to HTTPS. If the HSTS header is allowed in the plain text response, a man-in-the-middle attacker can perform a DoS attack by injecting HSTS information into a normal site.

Enabling HSTS on Apache

  1. $ vim /etc/apache2/sites-available/hi-linux.conf
  2.  
  3. # Enabling HSTS requires enabling the headers module
  4. LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so
  5.  
  6. <VirtualHost *:80>
  7. ServerName www.hi-linux.com
  8. ServerAlias ​​hi-linux.com
  9. ...
  10. #Redirect all visitors to HTTPS to solve the HSTS first visit problem.
  11. RedirectPermanent/https://www.hi-linux.com/
  12. </VirtualHost>
  13.  
  14. <VirtualHost 0.0.0.0:443>
  15. ...
  16. # Enable HTTP Strict Transport Security
  17. Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"  
  18. ...
  19. </VirtualHost>

Restart Apache service

  1. $ service apche2 restart

Enable HSTS on Nginx

  1. $ vim /etc/nginx/conf.d/hi-linux.conf
  2.  
  3. server {
  4. listen 443 ssl;
  5. server_name www.hi-linux.com;
  6. add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" ;
  7. ...
  8. }
  9.  
  10. server {
  11. listen 80;
  12. server_name www.hi-linux.com;
  13. return 301 https://www.hi-linux.com$request_uri;
  14. ...
  15. }

Restart Nginx service

  1. $ service nginx restart

IIS Enable HSTS

To enable HSTS on IIS, you need to use a third-party module, for details, please refer to: https://hstsiis.codeplex.com/

Test whether the setup is successful

After the setting is completed, you can use the curl command to verify whether the setting is successful. If the result contains the Strict-Transport-Security field, it means that the setting is successful.

  1. $ curl -I https://www.hi-linux.com
  2. HTTP/1.1 200 OK
  3. Server: nginx
  4. Date : Sat, 27 May 2017 03:52:19 GMT
  5. Content-Type: text/html; charset=utf-8
  6. ...
  7. Strict-Transport-Security: max -age=63072000; includeSubDomains; preload
  8. X-Frame-Options: deny
  9. X-XSS-Protection: 1; mode=block
  10. X-Content-Type-Options: nosniff
  11. ...

As for HSTS and HSTS Preload List, it is recommended not to enable them unless you can ensure that HTTPS service will always be provided. Because once HSTS takes effect, old users will be redirected to HTTPS before max-age expires, causing the website to be unable to access correctly. The only way is to change the domain name.

<<:  The most detailed explanation of Toolbar development in history, this is a must-read!

>>:  Tech Neo May Issue: Deep Learning

Recommend

Do I need to take off my clothes for an X-ray?

Recently, a 19-year-old girl from Changzhou went ...

You may not think that these symptoms are related to lack of sleep →

Many people know that "you will yawn if you ...

From endangered to reborn, what has the "Oriental Gem" Crested Ibis experienced?

Audit expert: Wang Lei National Parks and Conserv...

A guide to avoiding pitfalls when placing ads on Weibo and WeChat!

There was an article that went viral this morning...

2020 epidemic enterprise loan policy, how to apply for epidemic enterprise loan?

The China Banking and Insurance Regulatory Commis...

A brief discussion on refined operations in the ToB market

This sharing mainly elaborates on the refined ope...

Analysis of Pinduoduo’s marketing activities!

I think everyone is familiar with the product Pin...

Yu Yang of Analysys: Data is the new energy in the future Internet world

On March 19, Analysys officially launched its dat...

How much does it cost to develop a cosmetics mini app in Yichun?

Why join the WeChat Mini Program Development Comp...

Practical Methodology for B-side Operations to Acquire 50,000+ Customers

This article summarizes the overview of China'...

Alibaba’s traffic methodology!

The first thing I want to share is a very mainstr...