Lack of HTTP Strict Transport Security (HSTS)

By
Jijith Rajan
Published on
01 Feb 2024
6 min read
Vulnerability

The HTTP Strict Transport Security (HSTS) header is a security enhancement for HTTP communication.

The HTTP Strict Transport Security (HSTS) allows a web server to declare stating; the web browsers should interact with the server using a secure HTTPS connection only. The HSTS is an IETF standards track protocol specified under RFC 6797.

When a supported browser receives HSTS header, the browser will terminate and prevent any communications sent over HTTP to the application’s domain.

The header initiates communication between the server and the client via HTTPS communication. HSTS also prevents HTTPS clicking through prompts on the browsers.

Without HSTS, there is a chance for the application to be a target to downgrade attacks, SSL-stripping, man-in-the-middle attacks and cookie-hijacking attacks.

If a website has HSTS enabled, the browser will automatically convert any HTTP requests to HTTPS before sending them to the server, even if the user manually types “http://” in the address bar.

What are the impacts of a lack of HSTS?

Lack of HTTP Strict Transport Security (HSTS) can lead to potential security risks for both website operators and users:

1. Man-in-the-middle attacks

Without HSTS, attackers can potentially intercept or modify traffic between a user’s browser and the server.

They might trick the user’s browser into connecting to a non-secure version of the website, allowing them to eavesdrop on sensitive information.

2. SSL stripping

Attackers can exploit lack of HSTS by downgrading secure HTTPS connections to unencrypted HTTP connections using techniques like SSL stripping.

This can expose user credentials, session cookies, and other sensitive data to attackers.

3. Session hijacking

If a user accesses a website over an unsecured HTTP connection, their session cookies and authentication tokens can be intercepted, leading to session hijacking attacks.

4. Security and privacy implications

Websites that don’t enforce HTTPS may expose user data, such as login credentials, personal information, and financial details, to potential eavesdropping and theft.

5. Trust and reputation

Modern web users have come to expect secure browsing experiences. A lack of HSTS can erode user trust and negatively impact the reputation of a website.

To mitigate these risks, website administrators should consider implementing HSTS. To do so, they typically include the HSTS header in their server’s response to the user’s browser.

This header contains information about the website’s HSTS policy, including the duration for which the browser should only access the site over HTTPS.

This policy can be “preloaded” into modern browsers to ensure that the browser always accesses the site securely, even for the first visit.

It’s important to note that implementing HSTS alone may not address all security concerns. It should be part of a broader strategy that includes other security measures like proper SSL/TLS configuration, regular security audits, and keeping web applications up to date.

How can you prevent vulnerabilities that arise from a lack of HSTS?

HSTS (HTTP Strict Transport Security) is a security feature designed to enhance web security by enforcing secure connections over HTTPS.

It’s not something that needs to be mitigated or prevented itself; rather, it’s a measure that website administrators can implement to prevent certain security risks.

1. Proper implementation

Implement HSTS correctly by adding the appropriate HTTP header to your web server’s response.

The HSTS header should include the max-age directive, which specifies how long the browser should remember to enforce HTTPS for the website.

2. Use of preloading

You can apply for HSTS preloading, which involves adding your domain to the HSTS preload list maintained by browser vendors.

This ensures that browsers will automatically enforce HTTPS for your website even for the first visit, without any initial insecure connections.

3. Include subdomains

If your website uses subdomains, consider including them in your HSTS policy. This can be done by using the including subdomains directive in your HSTS header.

4. Testing

Before enabling HSTS, thoroughly test your website over HTTPS to ensure that all resources are loaded securely.

Mixed content (loading insecure resources over a secure connection) can cause problems and weaken the security provided by HSTS.

5. Backup plans

Plan for contingencies in case your HTTPS configuration fails or there are issues with your SSL/TLS certificate.

Have backup mechanisms in place to handle such situations and minimize service disruptions.

6. Certificate management

Properly manage your SSL/TLS certificates. Ensure they are valid and up to date. Use reputable Certificate Authorities (CAs) to obtain certificates for your domain.

7.Monitoring

Regularly monitor your website’s HSTS implementation.

This includes checking for any policy changes, ensuring that the header is still being sent correctly, and verifying that subdomains are covered if needed.

8. HTTP to HTTPS redirects

Implement proper HTTP to HTTPS redirects. When users try to access your site via HTTP, they should be automatically redirected to the HTTPS version.

9. Error handling

Set up appropriate error handling for HSTS-related issues. For instance, if a user’s browser encounters an HSTS-related error, provide clear instructions on what they should do.

10. Educate developers

Ensure that your development team understands the implications of HSTS and how to implement it correctly. This is important to maintain security during development and updates.

11. Regular Security Audits

Conduct regular security audits of your website to identify potential vulnerabilities or misconfigurations, including HSTS-related aspects.



Remember, while HSTS provides valuable security benefits, it’s just one component of a comprehensive security strategy.

It works best when combined with other security practices, such as keeping your software up to date, implementing proper access controls, and following secure coding practices.


Written by
Jijith Rajan
Jijith Rajan
Cyber Security Engineer
Experience the Beagle Security platform
Unlock one full penetration test and all Advanced plan features free for 10 days