HSTS stands for HTTP Strict Transport Security. It is a method used by websites to declare that they should only be accessed using a secure connection (HTTPS). If a website declares an HSTS policy, the browser must refuse all HTTPhường connections và prevent users from accepting insecure SSL certificates. HSTS is currently supported by most major browsers (only some Mobile browsers fail lớn use it).
Bạn đang xem: Hsts là gì
HTTP Strict Transport Security was defined as a website security standard in 2012 in RFC 6797. The primary goal of creating this standard was to help avoid man-in-the-middle (MITM) attacks that use SSL stripping. SSL stripping is a technique where an attacker forces the browser to lớn connect lớn a site using HTTPhường so that they can sniff packets and intercept or modify sensitive sầu information. HSTS is also a good method to lớn protect yourself from cookie hijacking.
How HSTS Works
Typically, when you enter a URL in the web browser, you skip the protocol part. For example, you type www.aviarus-21.com, not http://www.aviarus-21.com. In such a case, the browser assumes that you want to use the HTTP protocol so it makes an HTTPhường request to www.aviarus-21.com.At this stage, the website VPS replies with a redirect (301 response code) that points to lớn the HTTPS site. The browser makes an HTTPS connection to www.aviarus-21.com. This is when the HSTS security policy protection begins using an HTTPhường response header:
Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadThe Strict-Transport-Security header gives specific instructions lớn the browser. From now on, every connection to the site và its subdomains for the next year (31536000 seconds) from the moment this header is received must be an HTTPS connection. HTTP.. connections are not allowed at all. If the browser receives a request to load a resource using HTTP.., it must try an HTTPS request instead. If HTTPS is not available, the connection must be terminated.
Additionally, if the certificate is not valid, you will be prevented from making a connection. Usually, if a certificate is not valid (expired, self-signed, signed by an unknown CA, etc.) the browser displays a warning that you can circumvent. However, if the site has HSTS, the browser will not let you circumvent the warning at all. To access the site, you must remove the site from the HSTS list within the browser.
The Strict-Transport-Security header is sent for a given trang web & covers a particular domain name name. Therefore, if you have sầu the HSTS header for www.aviarus-21.com, it will not cover aviarus-21.com but only the www subtên miền. This is why, for complete protection, your website should include a Call lớn the base domain (in this case, aviarus-21.com) and receive sầu a Strict-Transport-Security header for that domain name with the includeSubDomains directive.
Is HSTS Completely Secure?
Unfortunately, the first time that you access the trang web, you are not protected by HSTS. If the website adds an HSTS header lớn an HTTPhường connection, that header is ignored. This is because an attacker can remove sầu or add headers during a man-in-the-middle attack. The HSTS header cannot be trusted unless it is delivered via HTTPS.
You should also know that the HSTS max-age is refreshed every time your browser reads the header & the maximum value is two years. This means that the protection is permanent as long as no more than two years pass between your visits. If you vị not visit a trang web for two years, it is treated as a new site. At the same time, if you serve the HSTS header with max-age of 0, the browser will treat the site as a new one on the next connection attempt (which can be useful for testing).
You can use an additional method of protection called the HSTS preload list. The Chromium project maintains a danh mục of websites that use HSTS & the danh mục is distributed with browsers. If you add your website khổng lồ the preload list, the browser first checks the internal danh sách and so your trang web is never accessed via HTTP, not even during the first connection attempt. This method is not part of the HSTS standard but it is used by all major browsers (Chrome, Firefox, Safari, Opera, IE11, và Edge).
The only currently known method that could be used lớn bypass HSTS is an NTP-based attaông xã. If the client computer is susceptible to lớn an NTP attack, it can be fooled inkhổng lồ expiring the HSTS policy & accessing the site once with HTTPhường.
How khổng lồ Add a Domain khổng lồ the HSTS Preload List?
To add a domain khổng lồ the HSTS preload list, the sites for that tên miền must meet several requirements. Here is what you need to lớn bởi vì lớn add your domain:Make sure that your sites have sầu valid certificates & up-to-date ciphers.If your sites are available via HTTPhường, redirect all requests lớn HTTPS.Make sure that points 1 and 2 above apply to lớn all your domains & subdomains (according lớn your DNS records).Serve sầu the Strict-Transport-Security header over HTTPS for the base tên miền with max-age of at least 31536000 (1 year), the includeSubDomains directive, và the preload directive sầu. See above sầu for an example of such a valid HSTS header.
For increased security, the preload danh sách is not accessed or downloaded by the browser. It is distributed as a hard-coded resource with new browser versions. This means that it takes quite a lot of time for results to lớn appear on the danh sách & it takes quite a long time for a tên miền lớn be removed from the danh mục. If you want lớn add your site lớn the list, you must be sure that you are able lớn maintain full HTTPS access to lớn all resources for an extended period of time. If not, you risk that your website will become completely inaccessible.
How lớn Remove sầu a Domain from the HSTS Cađậy in a Browser?
When you are setting up HSTS và testing it, you may need to lớn clear the HSTS cabít in the browser. If you mix up HSTS incorrectly, you may receive sầu errors that will loông xã you out of the site unless you clear the data. Here are methods for several popular browsers. Also note that if your domain is on the HSTS preload danh mục, clearing the HSTS cabịt will be ineffective & there is no way to force an HTTP connection.
Removing from Google Chrome
To remove a domain from the Chrome HSTS cache, follow these instructions:In the Delete tên miền security policies section, enter the tên miền to lớn delete in the text boxClichồng the Delete button next khổng lồ the text box
Afterward, you can check if the removal was successful:In the Query HSTS/PKP domain section, enter the domain name to lớn verify in the text boxClick the Query button next khổng lồ the text boxThe response should be Not found
Removing from Mozilla Firefox
There are many different methods khổng lồ remove HSTS information from Firefox for a given domain. All of them are described in detail in a dedicated article. The following is the simplest & fastest one, but it removes more than HSTS information from the cache.Cthảm bại all open tabs for your sitemở cửa the Firefox history window (Library > History > Show All History)Search for the tên miền using the tìm kiếm barRight-cliông chồng the domain & choose the option Forget About This SiteRestart Firefox
Removing from Apple Safari
Removing HSTS information from Safari is very easy:Cthua kém SafariDelete the following tệp tin from your trang chính directory: ~/Library/Cookies/HSTS.plistmở cửa Safari
Removing from Microsoft Internet Explorer & Microsoft Edge
You cannot remove a domain name from the HSTS cabịt for Microsoft browsers. You can only turn off HSTS temporarily in Internet Explorer 11 & only on Windows 7 or Windows 8.1 (not on Windows 10). Full instructions are available in the relevant Microsoft support article.