Codechef4u is a community for computer professionals,by computer professionals,just like you; who loves sharing and helping each others,Join them
Share your post

HTTP Strict Transport Security (HSTS)

HTTP Strict Transport Security (HSTS) security policy mechanisms which provide better security  HTTPS websites against downgrade attacks, and which greatly simplifies protection against, Middleman attack, cookie hijacking.

HTTP Strict Transport Security (HSTS) is important to building secure web application.

Why HSTS?

I have created web application called myCompanyApps.com, first I get redirected to login page

for example

1. Admin login with https://myCompanyApps.com/login.aspx.
2.  After user logon site downgrades to http connection http:// myCompanyApps.com/usersDirectory.aspx.
3. In above case if user using shared connection, hackers can easily get company employees details with http web requests in this case.

Solution for this:

Move entire application to HTTPS, to ensure HTTP Strict Transport Security header can be used to ensure greater security, by transforming all HTTP links to HTTPS automatically in the browser.

Advantages using HSTS:

1.  Automatically turn any insecure links referencing the web application into secure links.
2.  If the security of the connection cannot be ensured (e.g. the server's TLS certificate is not trusted), show an error message and do not allow the user to access the web application.
3. Above two points provides protection against man-in-the-middle attacker, and all other https downgrades attacks.

HSTS supported with following list of browsers(Till date,hope more browser support HSTS):

1.  Chromium and Google Chrome since version 4.0.211.0(onwards)
2.  Firefox since version 4(onwards).
3.  Opera since version 12.
4.  Safari as of OS X Mavericks.
5.  Internet Explorer 11 on Windows 8.1 and Windows 7 since June 2015.


Not recommended to use below:

<system.webServer>
    <httpProtocol>
        <customHeaders>
            <add name="Strict-Transport-Security" value="max-age=31536000"/>
        </customHeaders>
    </httpProtocol>
</system.webServer
>
 

HSTS recommended implementation:


 1.  Download module from http://hstsiis.codeplex.com

 2.  Install Microsoft URL Rewrite and use following rewrite rules. 


<configuration>
 <system.webServer>
   <rewrite>
     <rules>
       <rule name="HTTPS_301_Redirect" stopProcessing="true">
         <match url="(.*)" />
         <conditions>
           <add input="{HTTPS}" pattern="^OFF$" />
         </conditions>
         <action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" appendQueryString="false" redirectType="Permanent" />
       </rule>
     </rules>
     <outboundRules>
       <rule name="Add_HSTS_Header" preCondition="USING_HTTPS" patternSyntax="Wildcard">
         <match serverVariable="RESPONSE_Strict-Transport-Security" pattern="*" />
         <action type="Rewrite" value="max-age=31536000" />
       </rule>
       <preConditions>
         <preCondition name="USING_HTTPS">
           <add input="{HTTPS}" pattern="^ON$" />
         </preCondition>
       </preConditions>
     </outboundRules>
   </rewrite>
 </system.webServer>
</configuration> 

 

For more details I recommend to go through below video:

https://www.youtube.com/watch?v=zEV3HOuM_Vw&feature=youtu.be