Mike Elissen

Enforce HTTPS with HSTS Headers!

Blog Post created by Mike Elissen Champion on Aug 30, 2017

You are able to enforce HTTPS in certain browsers by enabling the HSTS Headers!

 

HTTP Strict Transport Security (HSTS) is an opt-in security enhancement that is specified by a web application through the use of a special response header. Once a supported browser receives this header that browser will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS. It also prevents HTTPS click through prompts on browsers.

 

The specification has been released and published end of 2012 as RFC 6797 (HTTP Strict Transport Security (HSTS)) by the IETF.

 

HSTS addresses the following threats:

  • User bookmarks or manually types http://example.com and is subject to a man-in-the-middle attacker
    • HSTS automatically redirects HTTP requests to HTTPS for the target domain
  • Web application that is intended to be purely HTTPS inadvertently contains HTTP links or serves content over HTTP
    • HSTS automatically redirects HTTP requests to HTTPS for the target domain
  • A man-in-the-middle attacker attempts to intercept traffic from a victim user using an invalid certificate and hopes the user will accept the bad certificate
    • HSTS does not allow a user to override the invalid certificate message

 

You can easily enable sending this HSTS header in your Akamai configuration, offloading this from your origin and make sure this is enforced.

 

 

Adding the following behavior in your configuration will allow for the HSTS Header (Strict-Transport-Security) to be send to end-users which will then ensure that HTTPS is used when requesting a webpage.

 

A neat trick for anyone is to use Google Chrome Developer Tools to see if HSTS is enforced.

Type/Copy the following in your Chrome browser bar: chrome://net-internals/#hsts 

Outcomes