According to a Netcraft’s study of the secured (SSL/TLS) sites they monitor, 95% of them are vulnerable to a simple man-in-the-middle attack because they didn’t correctly implement HTTP Strict Transport Security (HSTS), a widely-supported security feature that prevents unencrypted HTTP connections to a server.
Let’s see why it’s happening and how we can make your website secure, again.
HSTS is a web security policy (RFC 6797) mechanism developed to protect websites against protocol downgrade attacks and cookie hijacking (wiki). When someone enters a website URL in the browser without http://
or https://
prefix or follows the http://
link, the initial request to the webserver is sent unencrypted. A correctly configured webserver should immediately redirect the user to the secured URL. Unfortunately, an attacker can set a man-in-the-middle (MITM) attack to intercept the first HTTP request.
HSTS is designed to help with this potential vulnerability by instructing the browser to always use a secured HTTPS connection to access the webserver (even if the user manually enters URL with the http://
prefix).
To enable this policy, a website should send the following HTTP response header:
Strict-Transport-Security: max-age=31536000
When a browser receives this header from a secured website, it will access this website using HTTPS (SSL or TLS) for the next max-age
seconds.
You can also specify this policy for all subdomains by including includeSubDomains
directive to the response:
Strict-Transport-Security: max-age=31536000; includeSubDomains
#how to #security