Accessibility First DevRel. I focus on ensuring content created, events held and company assets are as accessible as possible, for as many people as possible.
Just a heads up for anyone who lands on this article.
Simply adding the HSTS security header is not very effective as your site is still vulnerable to downgrade attacks when a person first visits the site (or when the max age on the header has expired).
Be warned though, once you are on the HSTS preload list your site will not function over http under any circumstances so make sure you know what you are doing.
You are also then required to add "includeSubDomains; preload" to your HSTS header.
Finally a max age of 1000 is purely for testing, this should really be set to 2 years to be inline with current recommendations (two years is 63072000 seconds).
I'm a web developer, graphic designer, type designer, musician, comicbook-geek, LEGO-collector, food lover … as well as husband and father, located just south of Copenhagen, Denmark.
You are very right with everything, except for one small detail that might make all the difference when you're evaluating risk.
You're saying that HSTS is not very effective because, on your very first visit with a browser, you're not protected? So, not being protected in one visit per browser in 2 years (assuming the max-age of 2 years), which might represent 99.9999% of the cases, is not being effective? :)
Accessibility First DevRel. I focus on ensuring content created, events held and company assets are as accessible as possible, for as many people as possible.
I agree "not very effective" was probably a little heavy-handed, but "only 70% as effective" would probably be a fair assessment.
You are right, once you have been to the site you are protected...unless the server gets hacked.
Then the attacker simply sets your HSTS to 0 so it expires immediately the second someone visits the site and they can man-in-the-middle and downgrade attack to their hearts content (I make it sound easy, I am aware it is not!). It also the sort of attack that can go on for months because nobody checks their headers regularly....nobody :-P
HSTS preload means that even if that happened everyone is still protected, as well as protecting first time visitors.
Also bear in mind that once someone has successfully performed a man-in-the-middle attack an end user will likely never get the HSTS headers / meta tags that instruct the browser to upgrade insecure requests as the attacker will just strip them.
With about 20% of traffic to a typical site being new users that can soon add up!
As I said, not very effective unless you use preloading as that makes it impossible to access the site over http in nearly every major browser.
Obviously for 99% of websites none of the above is a major issue purely because they are not big enough targets to justify the effort.
But for the 1% where the risk is real HSTS must be preloaded or it is next to useless for protection.
P.S. Thanks for the interesting info about .app domains, never knew that...a good one to add to my "almost useless, mildly interesting geek facts" list I have in my head for special occasions…and I wonder why nobody wants to hang out anymore 🤣🤣🤣
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Just a heads up for anyone who lands on this article.
Simply adding the HSTS security header is not very effective as your site is still vulnerable to downgrade attacks when a person first visits the site (or when the max age on the header has expired).
You need to go to this site and enter your site info to have HSTS preloading enabled to prevent this.
Be warned though, once you are on the HSTS preload list your site will not function over http under any circumstances so make sure you know what you are doing.
You are also then required to add "includeSubDomains; preload" to your HSTS header.
Finally a max age of 1000 is purely for testing, this should really be set to 2 years to be inline with current recommendations (two years is 63072000 seconds).
So your final header for HSTS should be:
At that point you have configured this header correctly.
Thanks for the heads up! I've added an update, explaining how to achieve this in Cloudflare.
You are very right with everything, except for one small detail that might make all the difference when you're evaluating risk.
You're saying that HSTS is not very effective because, on your very first visit with a browser, you're not protected? So, not being protected in one visit per browser in 2 years (assuming the max-age of 2 years), which might represent 99.9999% of the cases, is not being effective? :)
2 more interesting (positive) notes:
I agree "not very effective" was probably a little heavy-handed, but "only 70% as effective" would probably be a fair assessment.
You are right, once you have been to the site you are protected...unless the server gets hacked.
Then the attacker simply sets your HSTS to 0 so it expires immediately the second someone visits the site and they can man-in-the-middle and downgrade attack to their hearts content (I make it sound easy, I am aware it is not!). It also the sort of attack that can go on for months because nobody checks their headers regularly....nobody :-P
HSTS preload means that even if that happened everyone is still protected, as well as protecting first time visitors.
Also bear in mind that once someone has successfully performed a man-in-the-middle attack an end user will likely never get the HSTS headers / meta tags that instruct the browser to upgrade insecure requests as the attacker will just strip them.
With about 20% of traffic to a typical site being new users that can soon add up!
As I said, not very effective unless you use preloading as that makes it impossible to access the site over http in nearly every major browser.
Obviously for 99% of websites none of the above is a major issue purely because they are not big enough targets to justify the effort.
But for the 1% where the risk is real HSTS must be preloaded or it is next to useless for protection.
P.S. Thanks for the interesting info about .app domains, never knew that...a good one to add to my "almost useless, mildly interesting geek facts" list I have in my head for special occasions…and I wonder why nobody wants to hang out anymore 🤣🤣🤣