HTTP Strict Transport Security
HTTP Strict Transport Security (HSTS) is a server setting that enforces a secure HTTPS connection.
After installing an SSL certificate, a website can be reached through an HTTPS connection. This way, data is transmitted encrypted so that it can not be intercepted. However, the use of HTTPS isn't sufficient. You also want to force the use of HTTPS, even if a visitor uses and HTTP-address.
How does HSTS work?
When using HSTS the browser will check whether a secure connection via HTTPS to the visited webpage is made. If this is not the case, visitors are automatically redirected from http to https, and thus to the secure version of the website. If no secure connection is available, the visitor will see an error message, and the browser rejects the connection. Using HSTS can prevent 'man in the middle' attacks, because this way a website can not be redirected to an unsecured page.
In order to use HSTS all unsecured connections are first redirected to a secure connection, then the browser is instructed by means of a HSTS header to only connect to the domain in question via HTTPS from now on. In the header it is immediately indicated how long the instruction must be saved by means of a 'max-age' setting. The IncludeSubdomains setting makes the HSTS header active for all subdomains of the visited domain.
When visiting a website for the first time, the browser will attempt to connect via HTTP. This is caused by the browser not knowing if the website is HSTS enabled. This connection is prone to a 'man in the middle' attack. If the browser supports shipping a "pre-load" HSTS list, browsers will automatically establish an HTTPS connection. To include your website in the preloaded HSTS list, you can submit a request here. The entire preload list is publicly readable via Chromium.
|Support from version
|11 on Windows 7 if update KB 3058515 is installed
|4, preload list included since Firefox 17
|OS X Mavericks
|Blackberry browser and Webview
|Blackberry OS 10.3.3
The configuration of HSTS differs per webserver: