Enforce HTTPS with Strict Transport Security (HSTS)
Some sites are designed to work only in HTTPS mode. In this case, the webmaster sometimes leaves the site functional in HTTP with a redirection to HTTPS. But this mechanism is not safe, it can fall victim to an MITM attack.
To avoid this, it is possible to indicate to browsers that a site must be contacted in HTTPS. In this case, the browser transforms a URL http:// into https://
That is what does HTTP Strict Transport Security (HSTS) which is implemented, among others, in Chrome 4, Firefox 4 and Internet Explorer 11. The addition of HSTS does not create any errors or warnings with incompatible browsers.
The concept is simple: during an HTTPS connection, the server send back a Strict-Transport-Security header, indicating a https connection must be enforced and its timespan. The only thing to do is to configure your web server to send this HTTPS header, all yours users will be protected and using HTTPS.
You'll find documentation for most browsers here: Wikipedia
There is parameter includeSubDomains that allows you to cast HSTS on all your sub-domains.
Preloading
Because HSTS relies on a first visit in HTTPS, many browsers have added a pre-loading base to automatically connect in HTTPS on the first visit.
Chrome/Chromium manages a list join-able upon request. This list is also used as a base for Firefox, Safari, IE 11, and Edge.
To join this list, it is necessary that your HSTS headers contain the value "preload".
HTTP Redirections
In addition to HSTS, which works on the client side, for all your HTTPS sites, you can deploy HTTP to HTTPS redirects. For example, you can use a 301 redirect to indicate that the resource must always be accessed in HTTPS. As soon as the user accesses a resource in HTTPS, the HSTS header will be read by the client/browser and applied to the whole site.
In the case of sites using the sub-domain "www", it is important to correctly order its redirections:
If your certificate secures with and without the www, you must perform the following redirections, in the following order:
- http://domain.tld => https://domain.tld
- http://www.domain.tld => https://www.domain.tld
- https://domain.tld => https://www.domain.tld
That way, both the bare domain and the "www" will be protected by HSTS.
If your certificate only protects the "www", you must perform the following redirections:
- http://domain.tld => https://www.domain.tld
- http://www.domain.tld => https://www.domain.tld
It should be noted, however, that it is strongly recommended to also secure the bare domain as in the first case.
Deploying
Apache
For Apache, you'll only have to indicate:
# load the mod_headers.so module if not already done by editing /etc/apache2/httpd.conf
LoadModule headers_module modules/mod_headers.so
# force https connections for 180 days by editing your virtual host file
<VirtualHost *:443> ... ... Header always set Strict-Transport-Security "max-age=15552001; includeSubDomains;" ... ...
HTTP Redirections
To redirect your traffic from HTTP to HTTPS, add to your virtual host, the following instruction:
Redirect permanent /secure https://domain.tld
Nginx
For nginx, do:
# enforce https connections for 180 days
add_header Strict-Transport-Security "max-age=15552001; includeSubDomains;"
HTTP Redirections
To redirect your traffic from HTTP to HTTPS add to the HTTP server block, the following instruction:
return 301 https://$host$request_uri;
If your site supports HTTP and HTTPS, you can add the following conditional block to your block server block:
if ($scheme = http) { return 301 https://$server_name$request_uri; }
Lighthttpd
Add the following header:
setenv.add-response-header = (
"Strict-Transport-Security" => "max-age=63072000; includeSubdomains;"
HTTP Redirections
To redirect your HTTP to HTTPS traffic, you need to first have the redirect module enabled:
server.modules += ( "mod_redirect" )
Then configure your http socket:
$SERVER["socket"] == ":80" { $HTTP["host"] =~ "domain.tld" { url.redirect = ( "^/(.*)" => "https://domain.tld/$1" ) server.name = "domain.tld" } }
Microsoft IIS
You can consult our HSTS on IIS documentation.