Saturday, April 13, 2024

HTTPS Strict Transport Security (HSTS): What is It and How it Works?

Have you got HTTPS protocol working on your web server? If you answered in yes, that’s great. But have you got the HTTPS Strict Transport Security (HSTS) Policy implemented? I guess your answer is NO… and if it is true, then I’d like to tell you that it’s not a very wise thing. Why? We’ll try to understand that in this article:

The Problem with HTTP

While HTTP is a great protocol that was instrumental in starting the journey of World Wide Web, it has some weaknesses that make it a bad choice for confidential communications. The data transferred using an HTTP connection is transferred as it is, which means if someone can eavesdrop on your data packets he/she can see the entire content going through your HTTP connection (such attacks are called man-in-the-middle attacks). When you’re dealing with secure data (i.e. usernames, passwords, financial information etc.), this can become a major problem as leakage of such data can turn out to be very costly.

The Solution: HTTPS

This led to the development of HTTP Secure or HTTPS. This protocol is essentially HTTP, except for the difference that it encrypts the data being transferred between you and your server. So when you submit some data to a website with HTTPS connection, no one can see it except for you and the site to which you submitted it. But still problems.

But, There’s Still a Problem

So far, so good. However, there one small caveat. And that small caveat can be used by hackers to bypass HTTPS encryption and fool your browser into communicating over insecure HTTP protocol instead. Such attacks are known as protocol downgrade attacks, and with them, an attacker can keep you away from ever using HTTPS for any particular website.

But How’s It Possible?

The protocol downgrade attacks become possible due to a design flaw of HTTP and HTTPS. The thing is that when you first enter a website address in your browser or click a link, your browser tries to connect to that site via HTTP protocol. Now, if that site uses HTTPS, its server tells your browser to communicate with it over HTTPS instead.

Only then your browser proceeds the connection via secure HTTPS protocol. But the first request in this whole process was sent over HTTP… and that’s where a cyber criminal can do his trick.

Also Read MITM attack over HTTPS connection with SSLStrip

The cyber criminal can impersonate the web server of that site and then in first request (which is sent over HTTP) itself he can present the client with a web page that’s exact copy of the original web page residing on your server, but which will send the username and password to him instead. The attacker can then follow this strategy again and again… thus keeping the user away from ever using HTTPS protocol to communicate with your site.

The Solution: HTTP Strict Transport Security (HSTS)

The solution to this problem of protocol downgrade attacks is HTTP Strict Transport Security policy. What this policy does is telling the web browsers to communicate with your site over HTTPS protocol only and never use HTTP. After that message is communicated the browser remembers that it shouldn’t try to communicate with your website over HTTP, and initiates future requests to your site from HTTPS itself.

Besides that, all popular browsers also come with their own preloaded HSTS lists to which they can refer and figure out whether a website uses HSTS or not. This makes protocol downgrade attacks increasingly difficult.

How HSTS Works

The HSTS policy is enabled by adding the following field to your HTTPS response header:
Strict-Transport-Security: max-age=expireTime [; includeSubdomains]
This field communicates to the browser that your server wants to be accessed over HTTPS protocol only. The

The expire time value tells the browser about time duration for which your site should be accessed via HTTPS protocol only, and with include subdomains value you can apply the same policy to your desired sub domains as well in one go.

Once your website has communicated to popular web browsers with this HSTS policy for some time, the browser makers can also include your site to their pre-loaded list of HSTS sites, a post which your browser will not even need the above-given header to know whether you’ve HSTS enabled or not.


HSTS is a robust policy that you must implement in your web server to make it more secure in general. It’s especially important if your site requires the transfer of sensitive user data. Implement it today to provide the best possible security to your visitors.


Latest articles

Alert! Palo Alto RCE Zero-day Vulnerability Actively Exploited in the Wild

In a recent security bulletin, Palo Alto Networks disclosed a critical vulnerability in its...

6-year-old Lighttpd Flaw Impacts Intel And Lenovo Servers

The software supply chain is filled with various challenges, such as untracked security vulnerabilities...

Hackers Employ Deepfake Technology To Impersonate as LastPass CEO

A LastPass employee recently became the target of an attempted fraud involving sophisticated audio...

Sisence Data Breach, CISA Urges To Reset Login Credentials

In response to a recent data breach at Sisense, a provider of data analytics...

DuckDuckGo Launches Privacy Pro: 3-in-1 service With VPN

DuckDuckGo has launched Privacy Pro, a new subscription service that promises to enhance user...

Cyber Attack Surge by 28%:Education Sector at High Risk

In Q1 2024, Check Point Research (CPR) witnessed a notable increase in the average...

Midnight Blizzard’s Microsoft Corporate Email Hack Threatens Federal Agencies: CISA Warns

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive concerning a...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Top 3 SME Attack Vectors

Securing the Top 3 SME Attack Vectors

Cybercriminals are laying siege to small-to-medium enterprises (SMEs) across sectors. 73% of SMEs know they were breached in 2023. The real rate could be closer to 100%.

  • Stolen credentials
  • Phishing
  • Exploitation of vulnerabilities

Related Articles