What Is HSTS and Why Should Your Organization Use It?


If you have burning questions like “what is HSTS?” and you wake up in the middle of the night, this is the place to go. “Why aren’t more organisations using http strict transport security?” and “Why aren’t more organisations using http strict transport security?” Then, before settling down to sleep, you should probably have a drink (or two) and practise some relaxation techniques.

However, if HTTP strict transport protection is something you’re interested in learning about, and you’d like to know how a website uses HSTS to make connections more safe for users, we’d be happy to help.

What Is HSTS and How Does It Relate to HTTPS?

HTTP strict transport protection is a network security policy that enables websites to guide web clients (browsers) to make web connections safer for users. It’s also known as SSL HSTS by others. It’s “fancy HTTPS,” as one of my lovely coworkers likes to put it.

The idea behind HSTS is that it forces browsers to always use a secure hypertext transfer protocol (HTTPS) connection when loading a website.

Let’s take a short refresher on HTTPS before we go any further: A secure, encrypted connection between two parties — usually a web client (browser) and the web server (website) they’re connecting to — is known as HTTPS. Installing an SSL/TLS certificate on the website’s server facilitates an HTTPS connection. When the certificate is an organisation (OV) or extended validation (EV), it ensures that the user is connecting to a legitimate organization’s server while also safeguarding the connection’s integrity.

Now, back to the concept of HSTS…

When HSTS is enabled, even if a web user types “http://” in a website URL, the browser will connect to the site using the secure “https://” protocol rather than the insecure HTTP protocol. Enabling HTTP strict transport security is akin to your parents telling you as a child that instead of taking shady alleys or less-traveled back roads, you should always walk home at night along the safe, well-lit, heavily-traveled street.

You’ll probably avoid the serial killers and creepy dudes lurking in the shadows if you walk. Your users will have a secure connection if you use HTTPS. In either case, it appears to be a win-win situation.

What Is HSTS: How Does HSTS Work?

Find the following example from the same Mozilla MDN page to obtain a clearer understanding of how HSTS operates in practice:

“You log into a free WiFi access point at an airport and start surfing the web, visiting your online banking service to check your balance and pay a couple of bills. Unfortunately, the access point you’re using is actually a hacker’s laptop, and they’re intercepting your original HTTP request and redirecting you to a clone of your bank’s site instead of the real thing. Now your private data is exposed to the hacker.

Strict Transport Security resolves this problem; as long as you’ve accessed your bank’s web site once using HTTPS, and the bank’s web site uses Strict Transport Security, your browser will know to automatically use only HTTPS, which prevents hackers from performing this sort of man-in-the-middle attack.”

The more technical way that HSTS works is that it sends specific security parameters to HTTPS-enabled website clients via an HTTP header. Basically, the policy tells a browser to enable HSTS for that domain (and, ideally, its subdomains) and to remember that information for a certain amount of time.

What Is HSTS: How to Use HSTS on Your Site

Are you curious about which browsers HSTS supports? Several major browsers (both for desktop and mobile) already have HSTS-compatible versions of their applications, including:

  • Google Chrome
  • Apple Safari
  • Mozilla Firefox
  • Microsoft’s Internet Explorer and Edge
  • Opera

The syntax for this type of policy would look something like this example header info from Mozilla’s MDN:

Strict-Transport-Security: max-age=<expire-time>

You can write the instructions for the specific number of seconds that HSTS would be enabled for.  So, to set HSTS for one year (365), you could use the following header:

Strict-Transport-Security: max-age=31536000;

And, if you want to make sure that the policy directs the browser to also always load subdomains via HTTPS, you can specify that using this rule:

Strict-Transport-Security: max-age=31536000; includesSubDomains

Concerns about the HSTS Implementation Process on a Website

Okay, all of this is obviously fantastic and can help to make the internet a safer place for users. However, we’d be remiss if we didn’t add one word of caution: HSTS isn’t completely risk-free. When a user loads a HSTS-enabled website for the first time, there’s a slim chance that a hacker could take advantage of that initial connection.

Because a hacker with the right tools and knowledge could downgrade the encrypted connection in the split second before a user’s client downloads that header message. This would allow them to direct them to a phishing website or steal data directly.

But, once again, it’s a very small window. But, if that isn’t enough to dissuade you from using HTTP strict transport security, just wait a minute. HSTS preloading is a method of preventing hackers from exploiting that window for their own gain.

What HSTS Preloading Is and Why It’s Beneficial for Your Organization

Although it isn’t required, enabling HSTS can be advantageous for businesses and organisations that value their customers’ privacy and data security. HSTS is particularly useful for websites with a high volume of customer logins, which could be tempting targets for a man-in-the-middle attack. And HSTS preloading is a great way to accomplish this while also lowering the risks associated with connecting to a HSTS-enabled website for the first time.

An HSTS preload list is a list of domains that web browsers are required to serve using an encrypted HTTPS connection at all times. All of the major browsers, including Chrome, Firefox, and Safari, use Google’s HSTS preload list or have their own preload list based on it.

Some well-known names are already on the HSTS preload list, according to Google’s Chromium Project:

  • Google
  • Stripe
  • Twitter
  • LastPass
  • Simple

Even the United States government has jumped on the HSTS preloading bandwagon! (And we’re sure we don’t have to tell you what a monumental push that must have taken by some administrator somewhere!) In June 2020, the U.S. General Services Administration (GSA) announced their intention to use HSTS preloading for all new .gov domains starting Sept. 1, 2020. Their (eventual) goal is to force HTTPS connections for all .gov websites, but that’s going to be a few years down the road before that can happen in relation to transitioning existing .gov websites.

In the case of.gov top level domains (TLDs), this means that if a user connects to a.gov website on that list using a HSTS-enabled browser, they will only be able to access it via HTTPS.

If you want your domain to be included on the HSTS preload list, you can use this header:

Strict-Transport-Security: max-age=31536000; includesSubDomains; preload

Final Thoughts on What HSTS Is & the Use of HSTS Preloading

Using an HTTPS connection for your website is critical, both in terms of keeping your customers’ data (and your own data) secure and in terms of appearing legitimate in Google’s search algorithms. We say this because, a few years ago, Google effectively made HTTPS mandatory by including it as one of its ranking factors.

So, although the use of HSTS and HSTS preloading isn’t a requirement (unless you’re in charge of new .gov domains starting Sept. 1), it’s easy to see why it can be considered a general smart practise where website security is concerned.

It’s a simple yet efficient process to implement that provides greater security to your users regarding their personal and/or financial data.
This helps your site achieve greater trust in the eyes of your users.
Enabling HSTS helps to ensure that you remain compliant with privacy and data security regulations that require the use of HTTPS.

We hope this article answered your questions about “what is HSTS?” or “what does HTTP strict transport security entail?” Of course, if you have any further questions about what HSTS is, feel free to leave a comment below.

Jennifer Thomas
Jennifer Thomas is the Co-founder and Chief Business Development Officer at Cybers Guards. Prior to that, She was responsible for leading its Cyber Security Practice and Cyber Security Operations Center, which provided managed security services.