Saturday, April 13, 2019

What Is HTTP Strict Transport Security

If you are running a website, which contains sensitive data or important information, it is advisable to implement HSTS. In case you are running a site that doesn’t contain any personal data, you may not be able to utilize the full benefits of HSTS.

Advantages of HSTS

HSTS features are designed to focus on preventing the ‘middle man attack’. These kinds of attacks are done to steal sensitive information and credentials of the website. Forcing every communication to be sent via HTTPS prevents these attacks. This is done by instructing the web browser to not to send any kind of traffic over the HTTP protocol.

Two main security advantages of HSTS are:

1)    Automatically redirects any assets that are referenced in HTML generated by your website to be called through https:// instead of http://. This will ensure that the source from which the content is coming is a valid SSL certificate.
2)    The browser will automatically eliminate the ability to override the certificate warning in case the website uses an invalid SSL certificate. It also prevents access to such websites.



How do I implement HSTS?

SSL (Secure Socket Layer) certificates are widely used to enhance website security. There are different types of SSL certificates available in the market. It depends upon the requirement of the individual that which SSL certificate he should opt. For example:

•    If you contain sub-domains in your websites content structure, Wild card certificate is what you need to only cover https://.
•    In case only the main domain needs protection, the Domain validation SSL certificate will do the job.

To implement HSTS, follow the following steps:

1)    Check the validity of the SSL certificate of your website
2)    Redirect all the http:// links to https://
3)    Cover all the sub-domains with wildcard SSL certificate
4)    HSTS header should be served on the base domain for https:// request and set Max-age to at least 18 weeks
5)    Specify preload directives and ‘include subdomains’ directives



Failing to fulfill these requirements (1-5) will result in the removal of your listing.

No comments:

Post a Comment