The most effective way to redirect network traffic is to use a permanent redirection. This way, search engines and users can easily redirect to the website under HTTPS from an HTTP request. In many cases, this technique cannot guarantee safe traffic for your users. Redirection from HTTP to HTTPS can be abused by attackers for phishing attacks and can be redirected to a different host without any proper validation of user parameter by preventing HTTP Strict Transport Security. HSTS is a web security that ensures a secure connection between a server and its client.
Impact
Using this vulnerability, an attacker can:-
- redirect the user to a malicious site to steal information/data.
- show the end users some false data which will, in turn, affect the credibility of the website.
Mitigation / Precautions
According to Beagle, a secure connection can be achieved by using a response header field named Strict-Transport-Security.
Strict-Transport-Security: max-age=31539000
A universal and straightforward technique is to configure the server to redirect to HTTPS. By this technique, when the server sends HTTPS to the client. The client sends HSTS and other attributes to the server. The initial response is always unsure/unsafe.
Strict-Transport-Security: max-age=31536000; includeSubDomains
The above code sets all the subdomain connections as secure.
