Tuesday, May 6, 2025
HomeSSL/TLSHTTPS Strict Transport Security (HSTS): What is It and How it Works?

HTTPS Strict Transport Security (HSTS): What is It and How it Works?

Published on

SIEM as a Service

Follow Us on Google News

Have you got HTTPS protocol working on your web server? If you answered in yes, that’s great. But have you got the HTTPS Strict Transport Security (HSTS) Policy implemented? I guess your answer is NO… and if it is true, then I’d like to tell you that it’s not a very wise thing. Why? We’ll try to understand that in this article:

The Problem with HTTP

While HTTP is a great protocol that was instrumental in starting the journey of World Wide Web, it has some weaknesses that make it a bad choice for confidential communications. The data transferred using an HTTP connection is transferred as it is, which means if someone can eavesdrop on your data packets he/she can see the entire content going through your HTTP connection (such attacks are called man-in-the-middle attacks). When you’re dealing with secure data (i.e. usernames, passwords, financial information etc.), this can become a major problem as leakage of such data can turn out to be very costly.

The Solution: HTTPS

This led to the development of HTTP Secure or HTTPS. This protocol is essentially HTTP, except for the difference that it encrypts the data being transferred between you and your server. So when you submit some data to a website with HTTPS connection, no one can see it except for you and the site to which you submitted it. But still problems.

- Advertisement - Google News

But, There’s Still a Problem

So far, so good. However, there one small caveat. And that small caveat can be used by hackers to bypass HTTPS encryption and fool your browser into communicating over insecure HTTP protocol instead. Such attacks are known as protocol downgrade attacks, and with them, an attacker can keep you away from ever using HTTPS for any particular website.

But How’s It Possible?

The protocol downgrade attacks become possible due to a design flaw of HTTP and HTTPS. The thing is that when you first enter a website address in your browser or click a link, your browser tries to connect to that site via HTTP protocol. Now, if that site uses HTTPS, its server tells your browser to communicate with it over HTTPS instead.

Only then your browser proceeds the connection via secure HTTPS protocol. But the first request in this whole process was sent over HTTP… and that’s where a cyber criminal can do his trick.

Also Read MITM attack over HTTPS connection with SSLStrip

The cyber criminal can impersonate the web server of that site and then in first request (which is sent over HTTP) itself he can present the client with a web page that’s exact copy of the original web page residing on your server, but which will send the username and password to him instead. The attacker can then follow this strategy again and again… thus keeping the user away from ever using HTTPS protocol to communicate with your site.

The Solution: HTTP Strict Transport Security (HSTS)

The solution to this problem of protocol downgrade attacks is HTTP Strict Transport Security policy. What this policy does is telling the web browsers to communicate with your site over HTTPS protocol only and never use HTTP. After that message is communicated the browser remembers that it shouldn’t try to communicate with your website over HTTP, and initiates future requests to your site from HTTPS itself.

Besides that, all popular browsers also come with their own preloaded HSTS lists to which they can refer and figure out whether a website uses HSTS or not. This makes protocol downgrade attacks increasingly difficult.

How HSTS Works

The HSTS policy is enabled by adding the following field to your HTTPS response header:
Strict-Transport-Security: max-age=expireTime [; includeSubdomains]
This field communicates to the browser that your server wants to be accessed over HTTPS protocol only. The

The expire time value tells the browser about time duration for which your site should be accessed via HTTPS protocol only, and with include subdomains value you can apply the same policy to your desired sub domains as well in one go.

Once your website has communicated to popular web browsers with this HSTS policy for some time, the browser makers can also include your site to their pre-loaded list of HSTS sites, a post which your browser will not even need the above-given header to know whether you’ve HSTS enabled or not.

Conclusion

HSTS is a robust policy that you must implement in your web server to make it more secure in general. It’s especially important if your site requires the transfer of sensitive user data. Implement it today to provide the best possible security to your visitors.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Initial Access Brokers Play a Vital Role in Modern Ransomware Attacks

The ransomware threat landscape has evolved dramatically in recent years, with specialized cybercriminals like...

Darcula PhaaS: 884,000 Credit Card Details Stolen from 13 Million Global User Clicks

The Darcula group has orchestrated a massive phishing-as-a-service (PhaaS) operation, dubbed Magic Cat, compromising...

Microsoft Resolves Group Policy Issue Blocking Windows 11 24H2 Installation

Microsoft has resolved a critical enterprise-focused bug that blocked organizations from deploying Windows 11...

DragonForce Ransomware Targets Major UK Retailers, Including Harrods, Marks & Spencer, and Co-Op

Major UK retailers including Harrods, Marks and Spencer, and Co-Op are currently experiencing significant...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Fake Certificate Issued for Alibaba Cloud After SSL.com Validation Trick

A critical vulnerability in SSL.com’s domain validation process allowed unauthorized parties to fraudulently obtain...

Kaspersky Shares 12 Essential Tips for Messaging App Security and Privacy

In an era where instant messaging apps like WhatsApp, Telegram, Signal, iMessage, Viber, and...

Top 10 Best Penetration Testing Companies in 2025

Penetration testing companies play a vital role in strengthening the cybersecurity defenses of organizations...