Akamai Diversity

The Akamai Blog

Ensure Secure Browsing with HTTP Strict Transport Security (HSTS)

HTTP Strict Transport Security (known as HSTS for short) is a security signal that instructs the browser to attempt all requests to your website using HTTPS. In short, with HSTS enabled, a modern browser will never attempt to visit your site on HTTP. Furthermore, the browser remembers this instruction for an amount of time you set. So the next time a user visits your website, their browser won't attempt a HTTP request.

Why is HSTS important? First off, this blog post covers the many good reasons to use HTTPS. But let's suppose your site uses HTTPS everywhere. To ensure the security of your website, you need HSTS to protect against protocol downgrade attacks and cookie theft. Let's go to an example.

Say a user is connected to your site with complimentary WiFi found in a hotel. Only instead of connecting to what they think is complementary WiFi, they're connected to an access point controlled by a hacker. Next, your user enters www.domain.com. Most of us enter a URL without the preceding http:// or https://. In this case a browser will automatically go to the HTTP website, which will re-direct the browser to a HTTPS site. However the hacker intercepting the request could send your request to their own server and serve a HTTP version of your website. Next the user (thinking they are on your site) enters their login credentials, banking information, etc.

If this user had visited your HSTS enabled website in the past, their browser will automatically request the HTTPS version of your site and wouldn't load any unencrypted content. This makes intercepting the data more challenging because the attacker inercepting your user's traffic would need to obtain a SSL certificate bound to your hostname to avoid tipping off the user.

Are there any disadvantages to enabling HSTS? You need to be careful. Turning on HSTS is irreversible. Once you've instructed a browser to only visit your site using HTTPS for let's say a 6 month period, the genie is out of the bottle and it can't be put back in. Before enabling HSTS, ensure your site and subdomains are fully tested with 100% HTTPS and there are no situations where your domain will need to send data over HTTP.

How do you enable HSTS? HSTS is turned on through a specific HTTP response header. Details can be found in this Akamai Community post.