Penetration TestJan Kahmen6 min read

HSTS: What you should know about the HTTPS extension

In our article, we look at the technical background of HSTS, HTTPS and SSL stripping. Learn more about website security now.

Table of content

What is HSTS?

The protection of one's own security has shifted strongly to the internet in recent years. There, it is important to ensure that sensitive data and important information are only made available via secure connections. HSTS guarantees this standard on modern websites. The abbreviation stands for "HTTP Strict Transport Security", which is a security header that forces the browser to use a secure connection when requesting a website. The HSTS is described in the technical context of OWASP as a security update.

In our article, we explain which facts you need to know about HSTS and how you, as a website operator, can ensure the maximum level of security for your visitors. We also clarify the question of what HSTS has to do with HTTPS. To do this, we take a close look at the protocols, certificates and technical backgrounds and answer the question of whether you as an operator are still powerless against SSL stripping today.

HTTPS Extension with HSTS

To understand how HSTS benefits you, let's look at the connection to HTTPS. With this secure connection, your data is encrypted during communication with the website. This makes it more difficult for third parties to access your data and to tap into information. HSTS can now be activated on the server-side by the operator of a website, which forces the secure connection via HTTPS in any case.

Alternatively, a 301 redirect would not be sufficient to stop a man-in-the-middle attack. Here, an unauthorized third party could read and influence the communication between you and the website by interrupting the redirection to HTTPS. HSTS prevents this interruption by forcibly provoking HTTPS. In general, Google has already been pointing out the security of websites for several years by issuing a warning before calling up websites that are not encrypted.

SSL Stripping: this is how dangerous it is today

While we are dealing with the security-relevant functions of websites and protocols, SSL stripping should not go unmentioned. With this method, SSL-protected login paths are searched for by means of a proxy, on which the certificate is leveraged by a modified version. The result is that a user calls up the website that is supposedly protected by SSL and sends his login data unencrypted in plain text. These can then be read by a man-in-the-middle. A technical explanation of SSL stripping was described by Cloudflare.

Almost 20 years ago, SSL stripping was already a way to intercept visitors' information and receive cookies with sensitive data unencrypted. Once implemented, neither the user nor the server recognises an SSL strip. Both assume a secure connection between each other, which is not questioned when the data is sent. To protect themselves, users and operators of websites should always use HTTPS connections. In combination with HSTS, the risk of SSL stripping can be prevented.

These are the effects HSTS has on SEO

In addition to the technical influences, we would now like to show you the impact of HSTS on SEO. After all, in this day and age, search engine optimization is indispensable for presenting relevant results to interested parties. With the integration of HSTS, 307 redirects are now used instead of 301 redirects. This makes Google's Search Console prick up its ears, which brings the odd email and warning to your inbox. SEO tools from other providers will also inform you after crawling that new 307 redirects have been detected.

The question now arises whether the 307 redirects actually used for temporary redirects are a bad alternative. A brief look behind the scenes gives the all-clear: since redirects are only made at the browser level, they are in fact still 301 redirects at the server level. This shows that HSTS has no negative effect on your SEO results. In-depth information about HSTS and SEO were compiled by searchengineland.

Conclusion: HSTS belongs to every modern Website

Now that we have dealt with the technical background of HSTS in connection with HTTPS and SSL, we can only warmly recommend an implementation in the head of your website. HSTS is ideal for avoiding man-in-the-middle attacks. With this increase in security, you can offer your visitors a better browsing experience on your website. You also protect yourself against data breaches and the theft of personal information.

If we look at the advantages of HSTS, it therefore quickly becomes clear that serious websites should go this extra mile for the security of all involved. After all, it is in the general interest not to give hackers and blackmailers a chance on the internet. HSTS is exactly the right tool to take this step with moral initiative. With HSTS, you leave no room for modern cybercrime to gain access to your employees' or visitors' data on your website.

Contact

Curious? Convinced? Interested?

Schedule a no-obligation initial consultation with one of our sales representatives. Use the following link to select an appointment: