What is HSTS? The Hidden Security Law Inside Your Browser
HSTS: The Hidden Security Law Inside Your Browser
When we visit a website, we usually just type google.com in the address bar. We expect the browser to complete the https:// part. It is exactly at this Redirect moment that attackers can intercept and redirect you to a fake site (Man-in-the-Middle). HSTS (HTTP Strict Transport Security) is a security mechanism that eliminates this risk.
How HSTS Works?
HSTS is a special HTTP header sent by the server to the browser.
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
The browser (Chrome, Firefox, etc.) receiving this header records the following:
- "Never connect to this site (
example.com) via HTTP again." - "Even if the user types
http://example.com, automatically convert it tohttps://example.cominternally before hitting the network." - "If there is a certificate error (e.g., expired), do not allow the user to click 'Proceed anyway', terminate the connection completely."
Why Use HSTS?
- Prevents SSL Stripping Attacks: Stops attackers from downgrading HTTPS connections to HTTP.
- Cookie Security: Guarantees that session cookies are sent only over a secure channel.
- Prevents User Error: Keeps users safe even if they accidentally click on an HTTP link.
What is HSTS Preload List?
For the browser to learn the HSTS header, the user must visit the site securely at least once. But what if an attack happens on the first visit? To prevent this, there is the HSTS Preload List. This is a massive list maintained by Google and embedded inside browsers like Chrome, Firefox, Safari. If you add your site to this list (hstspreload.org), no browser in the world will even try to connect to your site via HTTP. It starts directly with HTTPS.
How to Enable?
Just add this line to your Nginx configuration:
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
For a secure web experience, an SSL certificate (HTTPS) is no longer enough; HSTS is a necessity.