Now our website has enabled HTTPS support and will automatically redirect HTTP requests to HTTPS requests. But if the cracker manually changes the HTTPS head to a HTTP head, the security provided bu HTTPS would lost.
Engineers invented HSTS to prevent this. When the broswer request a web page from the web server for the first time, the web server will send a header containing
Strict-Transport-Security. As soon as the broswer get the header and successfully realize it (Some old web browsers doesn’t support HSTS. They will give no response to the special header.), according to the time given in the header, the browser will automatically trun all links into secure links. (If the browser failed to do this, it will report an error and stop accessing.)
But a breakpoint still exists: if the attacker redirect the HTTPS request and remove the HSTS header at the first time when users try to access the website, this mechanism lost it’s power. Luckily, here comes HSTS Preload.
When a website enables HSTS Preload, this site will enter a list maintained by Google. (HSTS Preload List)
Most modern browsers contain the list(Such as) and upgrade to the latest list on distributing the latest versions. When the browsers discover that the accessing website is just in their list, the broswers will automatically jump to the HTTPS address and add the HSTS header to secure the connection.
In most situations, entering and exiting HSTS Preload List will take a long time(Since updating the broswers takes a lot of time). So think twice before submitting your website to the list.
According to the HSTS Preload List Submission page, in order to join the list, one need:
- Serve a valid certificate.
- Redirect from HTTP to HTTPS on the same host, if you are listening on port 80.
- Serve all subdomains over HTTPS.
- In particular, you must support HTTPS for the www subdomain if a DNS record for that subdomain exists.
- Serve an HSTS header on the base domain for HTTPS requests:
- The max-age must be at least eighteen weeks (10886400 seconds).
- The includeSubDomains directive must be specified.
- The preload directive must be specified.
- If you are serving an additional redirect from your HTTPS site, that redirect must still have the HSTS header (rather than the page it redirects to).
A little bit complex? It’s OK, we will describe how to fulfill these requirements in the next blog.
Some Internet service providers will block port 80 for household network. When using a dynamic dormain which is in the HSTS Preload List, the broswer will automatically use port 443 to connect(HTTPS), which can bypass the limitation.
That’s all for “What” and “Why”. We will discuss “How” in the next blog.
- Some contents are quated from HSTS Preload List Submission
- Many contects are based on the understanding of this post 将域名加入 HSTS Preload List-imlonghao
- Detailed understanding of the mechanism from WikiPedia
Thanks for watching!