Is Your Site HSTS Enabled? (opens in new tab)

These settings are giving me an A+ on SSLLabs.com...

  # - Apache 2.4 PFS & BEAST attack Safe   /etc/apache2/mods-enabled/ssl.conf
    SSLProtocol -ALL +SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2
    SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:!RC4:HIGH:!MD5:!aNULL:!EDH
    SSLHonorCipherOrder on
    SSLCompression off

  # - HSTS Apache directive to force SSL (.htaccess or per site in control panel)
	Header always set Strict-Transport-Security "max-age=15552000"
	RewriteEngine On
	RewriteCond %{HTTPS} off
	RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [NC,R=301,L]

HSTS is a good concept, and all browsers implement it, but there's no way to inspect which domains are flagged with it in your browser. So if you pick one up by mistake when you're testing the feature out in development, it just sticks, and the only way to get rid of it is to clear your entire browser cache or reset it, which is extremely annoying.

Browser makers: Please, please, please implement a way for me to inspect and remove individual HSTS "flags" so testing it doesn't become so painful.

Yes! And boy, it's not something you want to just enable without some thought.

I enabled it on a site that works without Host: inspection. HTTP gets you site A, and HTTPS gets you site B. (Different hostnames). This is obviously an odd arrangement, but it was working well for our little niche requirement.

I enabled HSTS in nginx while I was scrambling to do the heartbleed patch. I enabled all sorts of new age HTTPS options: HSTS, cert stapling, heavier ciphersuites, et cetera.

Of course, the HSTS started forcing all my HTTP users on site A over to site B, and I looked quite the fool. (Which is fair, because what I did was foolish and I deserved a little ridicule)

It's a neat option and maybe even the base case allows for it, but think about it before you flip it on!

In 2014, everyone who uses https should enable PFS (ECDHE) and HSTS, at the very least.

You almost never want to also include the subdomains, unless you have a wildcard SSL certificate.

I made that mistake, couldn't reach any other subdomain of my site because only 1 was protected by ssl. Clearing that HSTS header information is not so easy..

Sadly not, because I haven't yet understood the interaction of HSTS and old plain-HTTP URLs.

What happens when a browser goes to retrieve, say, an image at http://example.com/img223.JPEG but the server now enforces HSTS and pulls-up TLS?

When I've tried this with a subsite the image fails to load, and I haven't yet had time to investigate why.

Perhaps I should just draw a line and let the old URLs break.

HSTS should be an implicit browser feature, not a server-side add-on. There should not need to be a server-side flag required to enforce this behavior.

If you go to an HTTPS page on a given domain, your browser should always prefer the HTTPS page, even if you try to follow an HTTP page. The reason is, if you were able to reach the page via HTTPS before, you should be able to reach it there again, and HTTP would only expose you to an unencrypted page which is more than likely the same in content. The only downside is that sometimes HTTPS and HTTP URIs serve different resources even though the URI is the same (which I believe should be considered bad behavior by the web server)

Requiring admins to enable HSTS puts the onus on web server admins who are motivated to improve security for their users a tiny bit, and only works for admins who have servers that can support HSTS flags. There are many legacy systems which simply can't or won't be changed to support it. Hopefully the above behavior gets put into the HTTP 2.0 standard so admins don't need to go through a checkist of add-on security measures every time they create a new web server instance.

If you are using a site-signed cert and giving intended visitors a corresponding browser cert (being your own CA), and turn on HSTS, I assume the non-bypassable warning page would not be triggered, and the author's reference to "self-signed certs" is an inaccurate shorthand for "site certs the browser doesn't trust a CA for". (If this interpretation is wrong, HSTS would prevent a secure connection in this scenario.)

And if your server is rewriting URLs instead of using 301, then clients are not vulnerable to the redirect loophole and HSTS gives no benefit in that respect?

Is this a different implementation of Diffie–Hellman? As far as I can tell (and I am likely wrong) there needs to be one successful connection attempt using a secure protocol, in this case HSTS, to detect if the redirect was indeed to the correct site or a MitM attack.

Good to see the word is spreading about HSTS. EFF started pushing it earlier this month [1], with a perhaps fair claim that it's not widely known about by web developers.

As the article shows it's pretty straightforward to setup; if you can add a response header to your app then you'll be able to figure out how to harden your app with HSTS.

For my fellow web developers who like to learn by video, I've tried to make an easily digested screencast and a page of sketch notes to help get the word out about HSTS and explain what it protects against [2].

[1] https://www.eff.org/deeplinks/2014/02/websites-hsts

[2] http://www.webdevbreak.com/episodes/hsts