{"id":1139,"date":"2020-06-25T09:00:00","date_gmt":"2020-06-25T09:00:00","guid":{"rendered":"https:\/\/sectigostore.com\/blog\/?p=1139"},"modified":"2020-12-11T11:09:51","modified_gmt":"2020-12-11T11:09:51","slug":"what-is-hsts-and-why-should-your-organization-use-it","status":"publish","type":"post","link":"https:\/\/sectigostore.com\/blog\/what-is-hsts-and-why-should-your-organization-use-it\/","title":{"rendered":"What Is HSTS and Why Should Your Organization Use It?"},"content":{"rendered":"\n

HSTS – The HTTPS-only standard is a way for websites to ensure that web browsers always connect using a secure HTTPS connection \u2014 we\u2019ll explore what it is, how it works, and the benefits (and risks) of implementing this system<\/h2>\n\n\n\n

If you wake up in the middle of the night with burning questions like \u201cwhat is HSTS?\u201d and \u201cwhy aren\u2019t more organizations using http strict transport security?\u201d then you probably should have a drink (or two) and do some relaxation techniques before lying down to sleep.<\/p>\n\n\n\n

But if HTTP strict transport security really is a topic of interest and you want to learn how a website uses HSTS to make connections more secure for users, then we\u2019re happy to provide clarity.<\/p>\n\n\n\n

What Is HSTS and How Does It Relate to HTTPS?<\/h2>\n\n\n\n

HTTP strict transport security is a web security policy that websites can employ to direct web clients (browsers) to make web connections more secure for users. Some people refer to it as SSL HSTS. Or, as one of my delightful colleagues likes to say, it\u2019s \u201cfancy HTTPS.\u201d<\/p>\n\n\n\n

The idea behind HSTS is that it forces browsers to always load the given website using a hypertext transfer protocol secure (HTTPS) connection.<\/p>\n\n\n\n

Before we move on, let\u2019s take a moment for a quick refresher on HTTPS: An HTTPS connection<\/a> is a secure, encrypted connection between two parties \u2014 typically, a web client (browser) and the web server (website) they\u2019re connecting to. Facilitating an HTTPS connection involves installing an SSL\/TLS certificate on the website\u2019s server. When that certificate is an organization (OV) or extended validation (EV) certificate<\/a>, it both ensures that the user is connecting to a legitimate organization\u2019s server and also protects the integrity of the connection itself.<\/p>\n\n\n\n

Now, back to what HSTS is\u2026<\/p>\n\n\n\n

So, when HSTS is enabled, this means that even if a web user types in \u201chttp:\/\/\u201d in a website URL, the browser would connect to the site using the \u201chttps:\/\/\u201d protocol instead of the insecure HTTP. Enabling HTTP strict transport security is kind of like your parents telling you as a little kid that you always need to walk home at night along the safe, well-lit, heavily-traveled street instead of taking shady alleys or less-traveled back roads.<\/p>\n\n\n\n

In the walking scenario, you\u2019ll likely avoid the serial killers and creepy dudes lurking in the shadows. In the HTTPS scenario, your users will enjoy a secure connection. Either way, it sounds like a win-win.<\/p>\n\n\n\n

What Is HSTS: How Does HSTS Work?<\/h3>\n\n\n\n

Let\u2019s consider the following example from that same Mozilla MDN page to provide a little more clarity about how HSTS applies to the real world:<\/p>\n\n\n\n

\u201cYou log into a free WiFi access point at an airport and start surfing the web, visiting your online banking service to check your balance and pay a couple of bills. Unfortunately, the access point you’re using is actually a hacker’s laptop, and they’re intercepting your original HTTP request and redirecting you to a clone of your bank’s site instead of the real thing. Now your private data is exposed to the hacker.<\/em><\/p>

Strict Transport Security resolves this problem; as long as you’ve accessed your bank’s web site once using HTTPS, and the bank’s web site uses Strict Transport Security, your browser will know to automatically use only HTTPS, which prevents hackers from performing this sort of man-in-the-middle attack.\u201d<\/em><\/p><\/blockquote>\n\n\n\n

The more technical way that HSTS works is that it uses an HTTP header to communicate specific security parameters to HTTPS supporting website clients. Basically, the policy instructs a browser to enable HSTS for that specific domain (and, ideally, its subdomains) and to remember that specific information for a set period of time.<\/p>\n\n\n\n

What Is HSTS: How to Use HSTS on Your Site<\/h3>\n\n\n\n
\"What
Screenshot of HSTS code for Google.com<\/figcaption><\/figure><\/div>\n\n\n\n

Wondering which browsers HSTS would work on? Several of the major browsers (both for desktop and mobile) already have versions of their software that support HSTS<\/a>, including:<\/p>\n\n\n\n