Preventing MITM attacks with HSTS

About HSTS

HSTS stands for HTTP Secure Transport Security. HSTS came into existence in 2009 and was adopted by IEFT in 2012, see https://tools.ietf.org/html/rfc6797 for more info. Major browsers quickly implemented the new proposal. HSTS guards against passive and active network attacks. It does not guard against any server or browser vulnerabilities.

Why you need to enable HSTS

Hackers can easily obtain sensitive data like usernames and passwords transmitted from a browser to a site that does not have HSTS enabled. The most common way an attacker can capture data is when the attacker positions traffic "sniffing" software on a network. When a user types in the website address manually without the https prefix is when the attack is the most susceptible. The first pieces of header information are sent unencrypted to the server. As most Administrators and Web Developers have learned they need to secure their web applications and websites with an SSL certificate but yet most sites don’t have HSTS enabled. By the end of 2020, we tested 1500 sites and only 37 of them had HSTS enabled.

The importance of HSTS

HSTS is a standard that ensures the connection between a server and a browser is HTTPS and always HTTPS. It replaces the need to redirect using http to https. In cases where images or a file being referenced, if HSTS is not enabled, the browser displays a warning near the SSL secure lock telling the user that the site is not all the way secured. If HSTS is enabled then it forces a secure connection between the server and browser.

Implications of not using it

You'd think your safe with just using 301 redirects. Nope! Hackers have figured out that the opportunity still exists when you try to secure your site with this method. By running a small CURL command such as:

curl --head http://swdevteam.com

you would be able to see cookie and session ID data that could be sensitive. This is where you are left open to attack. A middleman could easily redirect your website or application to a phishing website. This is also where HSTS comes into play. It forces end-to-end SSL connections, from the browser to the server.

Implementation

Setting up HSTS is fairly simple and there are some requirements. To check your website or API if you can use HSTS go to https://hstspreload.org/ and enter in the URL. If you can use it you should see a green background with a success message.

Here are the requirements:

Have a valid SSL certificate
Redirect from HTTP to HTTPS
Serve all subdomains on HTTPS
Serve an HSTS header on the base URL
- max-age must be at least 1 year
- must use includeSubDomains directive
- must use preload directive
- all redirect traffic should have HSTS header

Setting up HSTS on the server:

A valid response will look like this:

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

Apache

Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

Nginx

add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';

After you've set up HSTS you can verify it is working by going to your browsers 'Inspector', finding the 'Host' entry and look for the 'HTTP Strict Transport Security' attribute. If you have configured everything correctly, then it should say "Enabled".