Web security: HSTS

Fifth post in the web security series.

OK, this time we are pretty sure the web browser is making a secure connection to the server.

On Your web application there are lots of links and resources, and you want to be sure that, even if you messed up with some links, everything goes through HTTPS. One way to to that is HTTP Strict Transport Security (HSTS).

HSTS is a simple header your server sends telling your user's web browser that all connections to the server MUST be made over HTTPS. So when your user come back on the website by typing your application URL it will go directly with HTTPS even if the user typed HTTP. Same way, if the links to your web app on your web app are specifying HTTP, the web browser will use HTTPS.

The header defines a max-age which is for how long the web browsers should consider going to your website using HTTPS only. There is also an option to include subdomains. So for a max-age of 6 months and including subdomains, the header looks like that:

Strict-Transport-Security:  max-age=15768000; includeSubDomains

There are some discussion about putting Strict Transport Security (STS) directly in DNS (so the web browser can know about it sooner and it could also work for other protocols than HTTP) but it's not yet mature.