HSTS - Strict Transport Security

James Cook

We recently had a security check of our site and it performed very well but one flaw was noted; Strict Transport Security Not Enforced.
We do have the site secured with SSL, but apparently the addition of the HSTS needs to be done in the Abyss config. Where and how would we add:

Strict-Transport-Security: max-age=31536000; includeSubDomains

pkSML

Hi Jim. I was just reading up on HSTS at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security.
For information's sake, I will include the following from this article:

Note: The Strict-Transport-Security header is ignored by the browser when your site is accessed using HTTP; this is because an attacker may intercept HTTP connections and inject the header or remove it. When your site is accessed over HTTPS with no certificate errors, the browser knows your site is HTTPS capable and will honor the Strict-Transport-Security header.

The first time your site is accessed using HTTPS and it returns the Strict-Transport-Security header, the browser records this information, so that future attempts to load the site using HTTP will automatically use HTTPS instead.
When the expiration time specified by the Strict-Transport-Security header elapses, the next attempt to load the site via HTTP will proceed as normal instead of automatically using HTTPS.

To enable this in Abyss, you want to force any HTTP connections to redirect to HTTPS. (Note: Obviously, the protocol for the host must be HTTP+HTTPS.)
To make that happen, go to your host --> General --> Advanced Parameters --> Exclusively Serve On HTTPS --> Add.

Virtual Path: /*

To enable the HSTS header, go to your host --> General --> Advanced Parameters --> Custom HTTP Headers --> Add.
Try adding the following:

Virtual Path: /*
HTTP Header Name: Strict-Transport-Security
HTTP Header Value: max-age=31536000; includeSubDomains

This should put the header on every webpage/resource your host transfers out. It will be ignored by the user's browser on HTTP connections, so that is why you want to do the HTTP --> HTTPS redirect.
Be careful with HSTS. If your certificate expires or the browser detects issues with your certificate, your website will potentially be entirely inaccessible. (This can even happen if the user's clock is outside of your cert's valid from and to dates.)

admin

Thanks pkSML for your detailed reply.
Some general guidelines about HSTS that may help considering using it or not:
HSTS will ensure that browsers will always connect to your site using HTTPS instead of HTTP.
HTTP remains required for the first request to your site, to inform the browser about its HSTS policy and to redirect to HTTPS. So your host should be in HTTP+HTTPS mode.
But HSTS should be used with care. Any future issue in your certificate validity may render your site not accessible for clients who have already taken note of your HSTS policy. Going back to HTTP is no more possible if HSTS is badly configured (with large max-age values.)
To learn more about HSTS in general, we recommend the article https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security .
To set HSTS, you'll need to add a custom header named Strict-Transport-Security to a HTTP+HTTPS host. The value of that header should be set according to the above article and to your use case. The scope of the header should be / (all the Web site.)
So should you implement HSTS or not? It depends on your Web site use and the kind of security you want to apply to it. If you're dealing with sensitive data from users (such as credit card numbers in forms), it is recommended to use HSTS.