HSTS: Improve Your Web Site Security Headers

Why You Need to Add HSTS to Your Apache Security Headers

Let’s take a closer look on what HSTS is, why you need it and how you can easily implement HSTS by adding a few lines of code to your .htaccess file.

You certainly already know that HTTPS (HTTP over SSL/TLS) is a ranking factor for SEO. Since Google announced this in August 2014 HTTPS has gradually gained importance. In recent months, and starting of July 2018, Google’s popular Chrome browser will mark non-HTTPS sites as ‘not secure’ and obviously the importance of HTTPS as a Google ranking factor is increasing.

The message is clear: Security and site speed are top priorities for Google.

It’s been clear for several years now that webmasters and site owners should move their site from HTTP to HTTPS. So let’s just assume that you’ve all made the switch to HTTPS. If against all odds you haven’t done so yet, it’s high time to learn more about how to make the switch to HTTPS. You should start by reading one of the many articles about this topic. A good starting point are articles such as e.g HTTP to HTTPS: An SEO’s guide to securing a website or Moving your website to HTTPS / SSL to learn more about this.

What is HSTS and why do you need it?

HTTP Strict Transport Security – or simply HSTS – is a web security policy mechanism which helps to protect websites against protocol downgrade attacks and cookie hijacking. HSTS is communicated by the server to the user agent via an HTTP response header field named “Strict-Transport-Security”. This specifies a period of time during which the user agent should only access the server in a secure fashion.

Reading the Wikipedia article we learn about the benefits of the HSTS security header:

The HSTS Policy helps protect web application users against some passive eavesdropping and active network attacks. A man-in-the-middle attacker has a greatly reduced ability to intercept requests and responses between a user and a web application server while the user’s browser has HSTS Policy in effect for that web application.

[ … ]

The most important security vulnerability that HSTS can fix is SSL-stripping man-in-the-middle attacks, first publicly introduced by Moxie Marlinspike in his 2009 BlackHat Federal talk “New Tricks For Defeating SSL In Practice”. The SSL (and TLS) stripping attack works by transparently converting a secure HTTPS connection into a plain HTTP connection. The user can see that the connection is insecure, but crucially there is no way of knowing whether the connection should be secure. Many websites do not use TLS/SSL, therefore there is no way of knowing (without prior knowledge) whether the use of plain HTTP is due to an attack, or simply because the website hasn’t implemented TLS/SSL.

Additionally, no warnings are presented to the user during the downgrade process, making the attack fairly subtle to all but the most vigilant. Marlinspike’s sslstrip tool fully automates the attack. HSTS addresses this problem by informing the browser that connections to the site should always use TLS/SSL. The HSTS header can be stripped by the attacker if this is the user’s first visit.

HSTS thus instructs web browsers to only use secure connections for all future requests when communicating with a web site.

Doing so helps prevent SSL protocol attacks, SSL stripping, cookie hijacking, and other attempts to circumvent SSL protection.

Improved SEO & PageSpeed

HSTS does not only improve your site security. It also gives you minor SEO improvement, because using HSTS will make your web site load a little bit faster.

This is how it works:

When you load a site using only HTTPS, your browser will first try to call the HTTP version before realizing a page supports HTTPS. This initial HTTP attempt will cause a small delay in your sites loading time. Sure, we’re talking about milliseconds, but when it comes to your page speed, every millisecond counts.

With HSTS enabled, the browser knows to use only HTTPS, making the redirect instant and eliminating any lag time.

How to add HSTS security headers via .htaccess

If you’re running a WordPress site, you can choose to use one of the many plugins to facilitate HSTS. But there’s an easier way to do this, and without having to install a 3rd party plugin. Simply add the following lines of code to your .htaccess file:

1
2
3
4
5
6

# Extra Security Headers
Header set X-XSS-Protection "1; mode=block"
Header always append X-Frame-Options SAMEORIGIN
Header set X-Content-Type-Options nosniff
Header set Strict-Transport-Security "max-age=31536000" env=HTTPS
Header set Referrer-Policy "no-referrer-when-downgrade"`

Note that when your web server sends this header, any browser that accesses the site over HTTPS will be unable to access the unsecured HTTP site for the specified length of time. In this case, 31,536,000 seconds, or one year.

Because of this, as soon as you enable HSTS, you should not stop using SSL on your site. If you do, returning visitors will be unable to access your site.

How to check your security headers

Once you’ve edited your .htaccess file, you’ll want to check and make sure it’s been implemented correctly.

A great site to analyze your HTTP response headers is https://securityheaders.com made by Scott Helme – big kudos out to Scott for this service!

By using the above code in your .htaccess, you should reach grade A.

If you want to take it even further and go for that A+ you’ll need to also implement Content Security Policy (CSP) to prevent Cross-Site Scripting – CSS – attacks.

Applying CSP headers can be slightly more tricky than setting up HSTS, so it’s OK to save that task for a rainy day.