HTTP Strict Transport Security (HSTS) Configuration
Guide to HSTS configuration covering max-age, includeSubDomains, preload lists, SSL stripping prevention, and deployment considerations for subdomain coverage.
Continue your mission
Guide to HSTS configuration covering max-age, includeSubDomains, preload lists, SSL stripping prevention, and deployment considerations for subdomain coverage.
# HTTP Strict Transport Security (HSTS) Configuration
HTTP Strict Transport Security (HSTS) is a web security policy mechanism defined in RFC 6797 that forces browsers to communicate with web servers exclusively over HTTPS. When properly implemented, HSTS prevents protocol downgrade attacks, cookie hijacking, and man-in-the-middle attacks that exploit the transition from HTTP to HTTPS.
HSTS exists because the web's default behavior is fundamentally insecure. When users type "example.com" in their browser, the browser assumes HTTP, not HTTPS. Even when websites redirect HTTP requests to HTTPS, that initial HTTP request creates an attack window. An attacker controlling network traffic can intercept that first request and proxy the entire session over HTTP while the user believes they have a secure connection. This attack, known as SSL stripping, has been demonstrated at security conferences since 2009.
HSTS solves this problem by moving the HTTPS enforcement decision from the server to the browser. After receiving an HSTS policy, browsers remember that the domain requires HTTPS and automatically convert all future HTTP requests to HTTPS before sending them over the network. This eliminates the vulnerable HTTP request that SSL stripping attacks depend on.
Within the Planetary Defense Model, HSTS operates primarily in the Security Posture and Hygiene (SPH) domain as a configuration control that hardens web application security. It also functions as a Data Protection and Sovereignty (DPS) control by ensuring encrypted transport for sensitive data. HSTS represents the principle that security controls should operate automatically and persistently, without requiring user intervention or awareness.
HSTS implementation requires three components: server configuration, browser enforcement, and optional preloading. The mechanism is straightforward but contains important nuances that affect security effectiveness.
The server initiates HSTS by sending the Strict-Transport-Security header in HTTPS responses. A basic HSTS header looks like this:
Strict-Transport-Security: max-age=31536000The max-age directive specifies how long browsers should remember the HSTS policy, measured in seconds. The example above sets a one-year policy. During this period, browsers will automatically convert all HTTP requests to HTTPS for the domain.
Two additional directives provide expanded protection:
Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadThe includeSubDomains directive extends HSTS protection to all subdomains of the primary domain. If example.com sends this header, browsers will also enforce HTTPS for api.example.com, mail.example.com, and any other subdomain. This prevents attackers from targeting subdomains that might lack HTTPS or have weaker security configurations.
The preload directive signals that the domain owner wants inclusion in browser preload lists. Preloading addresses HSTS's fundamental limitation: it only protects users after their first successful HTTPS visit to the site. If an attacker controls the network during that first visit, they can prevent the HSTS header from being delivered.
Browser preload lists solve this by embedding HSTS policies directly in browser code. When browsers ship with a domain in the preload list, they enforce HTTPS from the very first visit, even if the user has never successfully connected to the site before. All major browsers use the Chromium preload list maintained at hstspreload.org.
Browser enforcement happens at the network layer, before any HTTP request leaves the client. When a user clicks a link or types an address using HTTP for an HSTS-enabled domain, the browser silently converts the request to HTTPS. This conversion happens locally and immediately. No network traffic occurs over HTTP.
The browser's HSTS cache persists across sessions and survives browser restarts. Users cannot override HSTS policies through security warnings or certificate exceptions. This differs from standard HTTPS certificate warnings, which users can bypass by clicking through security warnings. HSTS makes the security decision absolute and non-negotiable.
HSTS policies expire based on their max-age value. Each time the browser receives an HSTS header, it resets the expiration timer. If a domain stops sending HSTS headers, the policy remains active until the original max-age period expires. This prevents attackers from disabling HSTS protection by intercepting and modifying server responses.
Certificate validation remains separate from HSTS enforcement. HSTS guarantees the browser will attempt HTTPS connections, but standard certificate validation determines whether those connections succeed. If an HSTS-enabled domain presents an invalid certificate, the browser blocks access entirely rather than falling back to HTTP.
The interaction between HSTS and certificate validation creates powerful protection against sophisticated attacks. Even if attackers present fraudulent certificates for HSTS-enabled domains, users cannot bypass the certificate warnings because HSTS prevents HTTP fallback. This forces attackers to obtain valid certificates from trusted certificate authorities, significantly raising the attack complexity and detection probability.
HSTS deployment directly impacts an organization's exposure to network-based attacks and data interception. Without HSTS, every user's first connection to a website traverses the network in plaintext, regardless of the site's HTTPS configuration. This creates predictable attack windows that sophisticated adversaries routinely exploit.
SSL stripping attacks demonstrate the business risk of missing HSTS protection. When users connect to banking, email, or e-commerce sites over compromised networks, attackers can maintain transparent HTTP proxies that capture credentials, session tokens, and sensitive data. Users see familiar website interfaces and have no indication their connections are compromised. The attack succeeds because browsers default to HTTP and only upgrade to HTTPS after receiving server redirects.
The financial and reputational consequences of successful SSL stripping attacks are severe. Banking credentials enable direct financial theft. E-commerce session hijacking allows unauthorized purchases and access to payment methods. Email account compromise provides access to password reset mechanisms for other services. In each case, the attack succeeds not because of complex technical vulnerabilities, but because of missing HSTS configuration.
HSTS also protects against mixed content attacks, where HTTPS websites load HTTP resources that attackers can modify. Even when the main page loads over HTTPS, HTTP-linked stylesheets, scripts, or images create injection opportunities. HSTS prevents these attacks by ensuring all resources load over HTTPS, eliminating the HTTP attack surface entirely.
Organizations commonly underestimate HSTS's importance because they focus on server-side security controls and assume HTTPS redirects provide adequate protection. This assumption fails against active network attackers who can intercept and modify traffic before it reaches legitimate servers. HSTS shifts protection to the client side, where attackers cannot disable it through network manipulation.
Another misconception involves the relationship between HSTS and certificate authorities. Some organizations believe HSTS provides protection against fraudulent certificates. While HSTS does prevent HTTP fallback when certificate validation fails, it does not strengthen certificate validation itself. Organizations still need robust certificate management and certificate transparency monitoring alongside HSTS deployment.
The subdomain protection aspect of HSTS creates both security benefits and operational risks. Organizations with complex subdomain infrastructures may have forgotten services, development environments, or third-party integrations that lack HTTPS support. Enabling includeSubDomains before auditing all subdomains can break legitimate functionality. However, leaving subdomains unprotected allows attackers to target them for cookie theft and session hijacking attacks.
CDA treats HSTS as a foundational hygiene control within the Security Posture and Hygiene domain, with critical data protection implications for the Data Protection and Sovereignty domain. The Autonomous Posture Command methodology recognizes that HSTS configuration, once properly implemented, operates independently and persistently to protect users without ongoing intervention. This aligns with APC's principle that "your posture adapts, your hygiene never sleeps."
During C-RECON engagements, CDA operators systematically audit HSTS implementation across all customer web properties. This includes verifying header presence and syntax, validating max-age values, checking subdomain inclusion policies, and confirming preload list status. CDA's approach differs from conventional security assessments by testing HSTS functionality from multiple network perspectives and browser environments, ensuring policies work correctly across diverse user scenarios.
CDA recommends aggressive HSTS policies that prioritize security over convenience. Maximum max-age values of two years (63072000 seconds) provide extended protection even if organizations temporarily stop maintaining their HSTS headers. Universal includeSubDomains deployment protects against subdomain-based attacks, though CDA works with organizations to identify and remediate HTTPS gaps before enabling subdomain protection. Preload list inclusion receives high priority in CDA security roadmaps because it eliminates first-visit vulnerabilities entirely.
The CDA methodology emphasizes HSTS's role in defense-in-depth architectures. HSTS complements but does not replace other transport security controls like certificate pinning, certificate transparency monitoring, and robust TLS configuration. CDA operators validate that HSTS policies align with broader transport security strategies and organizational risk profiles.
C-BUILD engagements include HSTS deployment as a standard security baseline requirement. CDA's implementation guidance covers web server configuration across multiple platforms, testing procedures for validation, and monitoring approaches for ongoing compliance. Unlike conventional implementation guides that focus solely on technical configuration, CDA addresses the operational aspects of HSTS deployment, including change management coordination and user communication strategies.
CDA recognizes that HSTS effectiveness depends on consistent implementation across entire organizations. Partial deployment creates security gaps that attackers can exploit by targeting unprotected properties. CDA's organizational security assessments include comprehensive web property discovery to ensure HSTS policies cover all public-facing services, not just primary websites.
• HSTS eliminates first-request vulnerabilities by moving HTTPS enforcement from servers to browsers, preventing SSL stripping attacks that intercept initial HTTP connections.
• Preload list inclusion provides maximum protection by enforcing HTTPS from the first visit, but requires careful subdomain auditing before enabling includeSubDomains policies.
• Maximum max-age values (two years) and aggressive subdomain inclusion policies provide the strongest security posture, though organizations must ensure all subdomains support HTTPS before deployment.
• HSTS functions as an automatic, persistent security control that operates without user intervention, making it a critical component of autonomous security hygiene programs.
• Complete organizational coverage requires systematic discovery and configuration of all web properties, not just primary websites, to prevent attackers from targeting unprotected services.
• Autonomous Posture Command (APC): Hygiene That Never Sleeps • TLS Certificate Management and Validation • Web Application Security Headers • Network-Based Attack Prevention • Transport Layer Security Configuration
• Hodges, J., Jackson, C., & Barth, A. (2012). HTTP Strict Transport Security (HSTS). RFC 6797. Internet Engineering Task Force. • National Institute of Standards and Technology. (2020). Guide to General Server Security (SP 800-123). NIST Special Publication 800-123. • OWASP Foundation. (2021). OWASP Secure Headers Project. Open Web Application Security Project. • Center for Internet Security. (2022). CIS Controls Version 8. Center for Internet Security.
CDA Theater missions that address topics covered in this article.
COBIT 2019 is ISACA's IT governance framework with 40 objectives across five domains, featuring a flexible design factor system that aligns IT strategy with business goals and maps to standards like NIST CSF and ISO 27001.
CMMC 2.0 requires defense contractors to demonstrate cybersecurity maturity at three levels.
HITRUST CSF harmonizes multiple frameworks into one certifiable standard for healthcare.
Written by CDA Editorial
Found an issue? Help improve this article.