Hardening Website Security – Part 1a: HSTS Preloading
In part 1 of this series of articles we described the HSTS header “Strict-Transport-Security”. This header is used to tell the clients web browser that HTTP Strict Transport Security mode should be enabled so that the browser should remember that this website only uses HTTPS and should not accept any unencrypted traffic. In this article we’re going to take this a step further an look at HSTS Preloading.
HSTS Preloading
As an addition to this, Google compile a list of HSTS enabled websites which is made available to (or more specifically compiled into) Chrome, Firefox and Safari so that they don’t even have to query the website in question for its headers, it knows to enforce HTTPS right away.
By doing this, attackers can no longer intercept and modify headers sent over unencrypted HTTP to block the elevation to HTTPS, and thereby carry out further Man-in-the-Middle (MITM) attacks.
In order to enable HSTS Preloading you must sign up to be included on the list.
How to Register
Requirements
First, in order to confirm that you are the owner of the website in question, and that you definitely want preloading to be enabled, you have to modify your “Strict-Transport-Security” header.
Where previously it read (optionally with or without the “includeSubDomains” directive):
Strict-Transport-Security “max-age=31536000; includeSubDomains”
You must also add the “preload” option so that it is now:
Strict-Transport-Security “max-age=31536000; includeSubDomains; preload”
If you have unencrypted HTTP enabled, it must be set to redirect with either an HTTP response code of either 301 (Moved Permanently) or 302 (Found – previously Moved Temporarily) to the secure HTTPS site on the same host.
All subdomains must also have a valid HTTPS certificate (including “www.” if you have a DNS record for it).
Registration
Now that you’ve fulfilled the requirements, you can submit your site to the HSTS Preloading list by visiting the following website: https://hstspreload.org/
Once that’s done, you just need to wait. You can submit your site to that website again to check on the status of your request.
Like the article? Share with your friends: