HTTPS Strict Transport Security

Have you got HTTPS protocol working on your web server? If you answered in yes, that’s great. But have you got the HTTPS Strict Transport Security (HSTS) Policy implemented? I guess your answer is NO… and if it is true, then I’d like to tell you that it’s not a very wise thing. Why? We’ll try to understand that in this article:

The Problem with HTTP

While HTTP is a great protocol that was instrumental in starting the journey of World Wide Web, it has some weaknesses that make it a bad choice for confidential communications. The data transferred using an HTTP connection is transferred as it is, which means if someone can eavesdrop on your data packets he/she can see the entire content going through your HTTP connection (such attacks are called man-in-the-middle attacks). When you’re dealing with secure data (i.e. usernames, passwords, financial information etc.), this can become a major problem as leakage of such data can turn out to be very costly.

The Solution: HTTPS

This led to the development of HTTP Secure or HTTPS. This protocol is essentially HTTP, except for the difference that it encrypts the data being transferred between you and your server. So when you submit some data to a website with HTTPS connection, no one can see it except for you and the site to which you submitted it. But still problems.

But, There’s Still a Problem

So far, so good. However, there one small caveat. And that small caveat can be used by hackers to bypass HTTPS encryption and fool your browser into communicating over insecure HTTP protocol instead. Such attacks are known as protocol downgrade attacks, and with them, an attacker can keep you away from ever using HTTPS for any particular website.

But How’s It Possible?

The protocol downgrade attacks become possible due to a design flaw of HTTP and HTTPS. The thing is that when you first enter a website address in your browser or click a link, your browser tries to connect to that site via HTTP protocol. Now, if that site uses HTTPS, its server tells your browser to communicate with it over HTTPS instead.

Only then your browser proceeds the connection via secure HTTPS protocol. But the first request in this whole process was sent over HTTP… and that’s where a cyber criminal can do his trick.

Also Read MITM attack over HTTPS connection with SSLStrip

The cyber criminal can impersonate the web server of that site and then in first request (which is sent over HTTP) itself he can present the client with a web page that’s exact copy of the original web page residing on your server, but which will send the username and password to him instead. The attacker can then follow this strategy again and again… thus keeping the user away from ever using HTTPS protocol to communicate with your site.

The Solution: HTTP Strict Transport Security (HSTS)

The solution to this problem of protocol downgrade attacks is HTTP Strict Transport Security policy. What this policy does is telling the web browsers to communicate with your site over HTTPS protocol only and never use HTTP. After that message is communicated the browser remembers that it shouldn’t try to communicate with your website over HTTP, and initiates future requests to your site from HTTPS itself.

Besides that, all popular browsers also come with their own preloaded HSTS lists to which they can refer and figure out whether a website uses HSTS or not. This makes protocol downgrade attacks increasingly difficult.

How HSTS Works

The HSTS policy is enabled by adding the following field to your HTTPS response header:
Strict-Transport-Security: max-age=expireTime [; includeSubdomains]
This field communicates to the browser that your server wants to be accessed over HTTPS protocol only. The

The expire time value tells the browser about time duration for which your site should be accessed via HTTPS protocol only, and with include subdomains value you can apply the same policy to your desired sub domains as well in one go.

Once your website has communicated to popular web browsers with this HSTS policy for some time, the browser makers can also include your site to their pre-loaded list of HSTS sites, a post which your browser will not even need the above-given header to know whether you’ve HSTS enabled or not.


HSTS is a robust policy that you must implement in your web server to make it more secure in general. It’s especially important if your site requires the transfer of sensitive user data. Implement it today to provide the best possible security to your visitors.