What Is HSTS and How To Enable It on Nginx

What is HSTS

HSTS stands for HTTP Strict Transport Security. HSTS tells web browsers that they should always interact with the server over https.

We are increasingly seeing websites serving content over HTTPS. Normal https websites use 301 permanent redirect to redirect insecure http requests to https. For example, every time you type the following URL in the browser address bar,

http://www.linuxbabe.com

you will be redirected to

https://www.linuxbabe.com

This redirect is done on the server side. When the server receives http request, it sends back a message to the browser telling the latter that http request is dropped by the server and the browser needs to send a https request.

What HSTS does is it tells web browsers to internally redirect http requests to https in the future. So now the redirect is done on the browser side.

HSTS tells browsers to default to https when the user do not specify the protocol scheme. If www.linuxbabe.com is not HSTS enabled, then when a user enter the following in the address bar:

www.linuxbabe.com

The browser will first try to send a http request to the server.

If www.linuxbabe.com is HSTS enabled, then a user enter www.linuxbabe.com in the browser address bar, the browser will first try to send a https request to the server.

HSTS helps reduce one round trip time and server load, and at the same prevent man in the middle attack.

Enable HSTS on Nginx

Open your Nginx virtual host configuration file. In the server block add the following line:

add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";

Like below:

server {
listen 443 ssl;
server_name www.linuxbabe.com;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
......

Save and close the file. Then reload Nginx configuration.

sudo service nginx reload     or        sudo sytemctl reload nginx

Check if HSTS is Working

Google Chrome Developer Tools

In Google chrome, press F12 key to open up developer tools, click the network tab. Then enter your domain name with http scheme:

http://www.linuxbabe.com

You will see in the network tab the first http request is redirected internally by Google Chrome and it never goes on the wire. Status code 307 means internal redirect.

307 internal redirect

curl command

Issue the following command

curl -I https://yourdomain.com

You will see a Strict-Transport-Security header.

Strict-Transport-Security: max-age=63072000; includeSubdomains; preload

securityheaders.io service

securityheaders.io is a free service that check your website to see if you site has security headers which includes Strict-Transport-Security header. It tells you what security header you site contains and what security headers you site is missing.

Trust on First Use

HSTS is great but there still a TOFU problem. TOFU stands for Trust on First Use. Let’s say you have never visit a site like baidu.com before. When you enter baidu.com in browser address bar, the browser will send a http request to baidu.com. baidu.com tells you browser to send a https requst. Then baidu.com respond with HTTP header which contains Strict-Transport-Security header and HTML page to your browser.

There’s still a http request going on the wire which can be exploited by man-in-the-middle attack. To address this issue and protect your website, you can preload HSTS policy in browser by submitting your website to https://hstspreload.appspot.com.

HSTS preload

Rate this tutorial
[Total: 1 Average: 1]