User:Mavarog/Taller

HTTP Strict Transport Security (HSTS) is a proposed web security policy mechanism where a web server declares that complying user agents (such as a web browser) are to interact with it using secure connections only (such as HTTPS). The policy is communicated by the server to the user agent via a HTTP response header field named "Strict-Transport-Security". The policy specifies a period of time during which the user agent shall access the server in only secure fashion.^[1]

The HSTS specification is presently an IETF Internet-Draft.^[1] The authors submitted it as an Internet-Draft on 17 June 2010,^[2] and it has undergone at least two revisions since then. It was with the conversion to an Internet-Draft that the specification name was altered to "HTTP Strict Transport Security" from "Strict Transport Security". The reason for this name change was given as being due to the specification being specific to HTTP.^[3] (Note: the HTTP response header field defined in the HSTS specification remains named "Strict-Transport-Security").

The latest community version of the then-named STS specification was published on 18 December 2009, with revisions based on community feedback.^[4]

The original draft specification by Jeff Hodges from PayPal, Collin Jackson and Adam Barth was published on 18 September 2009.^[5]

The specification is based on original work by Jackson and Barth as described in their paper “ForceHTTPS: Protecting High-Security Web Sites from Network Attacks”.^[6]

When the HSTS policy is active for a website, a complying user agent does the following:

1. Automatically turn any insecure links to the website into secure links. (For instance, http://www.example.com/some/page/ will be modified to https://www.example.com/some/page/ before accessing the server.)
2. If the security of the connection cannot be ensured (e.g. the server's TLS certificate is self-signed), show an error message and do not allow the user to access the site despite the error.

The HSTS policy helps protect website users against some passive (eavesdropping) and active network attacks. A man-in-the-middle attacker will not be able to intercept any request to a website while the user's browser has HSTS active for that site.

The initial request remains unprotected from active attacks if it uses an insecure protocol such as plain HTTP or if the URI for the initial request was obtained over an insecure channel. The same applies to the first request after the activity period specified in the advertised HSTS policy expires. Google Chrome addresses this limitation by implementing a "STS preloaded list".^[7]

Websites:

• PayPal sets the Strict-Transport-Security header on their https-only website.^[8]
• DEF CON website^[9]
• https://www.acdet.com/^[9]
• https://squareup.com/^[9]
• https://www.ssllabs.com/^[9]
• https://voipscanner.com/^[9]
• https://www.strongspace.com/^[9]
• https://www.elanex.biz/^[10]
• https://jottit.com/^[10]
• https://sunshinepress.org/^[10]
• https://www.noisebridge.net/^[10]
• https://neg9.org/^[10]
• https://riseup.net/^[10]
• https://factor.cc/^[10]
• https://(support,members,id,lists).mayfirst.org/^[10]

Naturally, this is not a complete list of websites which support STS.

Browsers:

• Google Chrome supports HSTS as of version 4.0.211.0.^[11]
• HSTS landed in the Firefox nightlies as of 25 Aug 2010 ^[12]
• The NoScript extension for Firefox enforces HSTS as of version 1.9.8.9.^[13]
• The HTTPS Everywhere extension for Firefox, derived from NoScript, generalises the concept of HSTS, to include subsets of the paths on some domains, and rewriting of insecure http:// URIs on one domain to secure https:// ones on another (for instance, from http://en.wikipedia.org to https://secure.wikimedia.org).^[14]
• Internet SSL Survey 2010 v1.6^[9]
• Strict Transport Security - The Chromium Projects^[10]

Strict-Transport-Security headers should be sent via HTTPS responses. Client implementations should not respect STS headers sent over non-HTTPS responses, or over HTTPS responses which are not using properly configured, trusted certificates. The following server configuration snippets should be within the context of an SSL site configuration block, and the code examples should be within the context of HTTPS responses only.

Note that the max-age is provided in seconds. The 500 seconds in the examples below can be changed to a much larger value depending on how long the web server operator is willing to commit to using HTTPS.

Implementation in Apache.

# load module (example using [RHEL])
LoadModule headers_module modules/mod_headers.so

# Use HTTP Strict Transport Security to force client to use secure connections only
Header set Strict-Transport-Security "max-age=500"
Header append Strict-Transport-Security includeSubDomains

Implementation in nginx.

# Use HTTP Strict Transport Security to force client to use secure connections only
add_header Strict-Transport-Security max-age=500;

Implementation in PHP.

// Use HTTP Strict Transport Security to force client to use secure connections only
$use_sts = true;

if ($use_sts && isset($_SERVER['HTTPS'])) {
    header('Strict-Transport-Security: max-age=500');
} elseif ($use_sts && !isset($_SERVER['HTTPS'])) {
    header('Status-Code: 301');
    header('Location: https://'.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']);
}

Implementation in Perl.

# Use HTTP Strict Transport Security to force client to use secure connections only
use CGI;

$q = new CGI;
$use_sts = true;

if ($use_sts == true) {
    print $q->header('Strict-Transport-Security' => 'max-age=500'); 
} elseif ($use_sts == true) {
    header('Status-Code: 301');
    $url = 'https://'.$ENV{'SERVER_NAME'}.$ENV{'PATH_INFO'}.$ENV{'QUERY_STRING'}
    print $q->redirect(status => '301 Moved Permanently', location => $url);
}

Implementation in Ruby on Rails.

# Use HTTP Strict Transport Security to force client to use secure connections only
use_sts = true;

if use_sts == true
    @response.headers['Strict-Transport-Security'], 'max-age=500'
if use_sts == true
    head :moved_permanently, :location => "https://" + request.env["SERVER_ADDR"] + request.env["REQUEST_URI"]

Implementation in ASP.

'Use HTTP Strict Transport Security to force client to use secure connections only
Dim use_sts
use_sts = True

If use_sts = True And Request.Url.Scheme = "https" Then
    Response.AddHeader "Strict-Transport-Security","max-age=500"
ElseIf use_sts = True And Request.Url.Scheme = "http" Then
    Response.Status="301 Moved Permanently"
    Response.AddHeader "Location", "https://" + Request.Url.Host + Request.Url.PathAndQuery
End If

Implementation in ColdFusion Markup Language (CFML).

<!--- Use HTTP Strict Transport Security to force client to use secure connections only --->
<cfset use_sts = true>

<cfif use_sts is "True"> 
  <cfheader name="Strict-Transport-Security" value="max-age=500">
<cfelseif use_sts is "True"> 
  <cfheader statuscode="301" statustext="Moved permanently">
  <cfheader name="Location" value="https://" + CGI.SERVER_NAME + CGI.SCRIPT_NAME + CGI.QUERY_STRING>
</cfif>

Implementation in JavaServer Pages (JSP).

// Use HTTP Strict Transport Security to force client to use secure connections only
use_sts = true;

if(use_sts == true)
  response.setHeader("Strict-Transport-Security", "max-age=500");
else if(use_sts == true)
  response.setStatus(301);
  url = "https://" + request.getServerName() + request.getPathInfo() + request.getQueryString();
  response.setHeader("Location", url);

Implementation in Visual Basic .NET.

'Use HTTP Strict Transport Security to force client to use secure connections only
Dim use_sts As Boolean = True

If use_sts = True Then
    Response.AppendHeader("Strict-Transport-Security", "max-age=500")
ElseIf use_sts = True Then
    Response.AppendHeader("Status-Code", "301")
    Response.AppendHeader("Location", "https://")
End If

Implementation as Struts 2 interceptor in Java.

// Use HTTP Strict Transport Security to force client to use secure connections only
public class StrictTransportSecurityInterceptor extends AbstractInterceptor {
    private static final Log logger = LogFactory.getLog(StrictTransportSecurityInterceptor.class);
    private static final String HSTS_HEADER = "Strict-Transport-Security";
    private static final String HSTS_VALUE_NAME = "max-age=";
    private static final int HSTS_VALUE_IN_SECONDS = 10;
    private static final String HSTS_VALUE_INCLUDE_SUBDOMAINS = "; includeSubDomains";

    @Override
    public String intercept(ActionInvocation invocation) throws Exception {
        ActionContext context = invocation.getInvocationContext();
        HttpServletResponse response = (HttpServletResponse) context.get(StrutsStatics.HTTP_RESPONSE);
        String headerValue = HSTS_VALUE_NAME + HSTS_VALUE_IN_SECONDS;
        response.addHeader(HSTS_HEADER, headerValue);
        logger.debug("HSTS interceptor with policy: " + headerValue);
        return invocation.invoke();
    }
}

<interceptors>
  <interceptor name="strictTransportSecurityInterceptor" class="yourPackage.StrictTransportSecurityInterceptor"/>
</interceptors>

<action name="yourActionName" class="yourPackage.YourAction">
  <interceptor-ref name="strictTransportSecurityInterceptor"></interceptor-ref>
  <result name="success">/success.jsp</result>
</action>

• draft-hodges-strict-transport-sec-02, Internet-Draft, IETF.
• Strict Transport Security page on W3C Web Security Wiki.
• Security Now - 262: Strict Transport Security