HSTS Complements the Force SSL Feature

HSTS (HTTP Strict Transport Security) is the friendly way to force a web browser to use HTTPS. Where our feature “Force SSL” is a redirecting approach (301 Moved Permanently) to force the use of a secure connection. The combination of both will reduce a roundtrip and therefore lower the latency.

HSTS explained in a nutshell: Once the web browser receives the HSTS header field, it will cache the response and from then on only communicate with the CDN or your origin server using a secure transport layer for the duration of max-age set in the header field.

Support of HSTS

Most of the browsers support this feature. KeyCDN supports it in combination with a pull zone in honoring the HSTS header. The web browser will receive the cached header field and initiate further connections over HTTPS. It is not recommended to add a HSTS header if HTTP sites are on the same domain.

How to configure HSTS on your origin server?

The HSTS response header should only be sent over a secure transport layer. Per RFC 6797 should it be ignored if received over HTTP.

Configuration Example for Apache2:

<VirtualHost 67.89.123.45:443>
    ...
    Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
    ...
</VirtualHost>

Configuration Example for Nginx:

server {
    listen 443 ssl;
    server_name www.yourwebsite.com;
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
    ...
}

Directives:
max-age: How long the browser uses HTTPS exclusively in seconds.
includeSubdomains: Enforces HTTPS on all of the sub-domains.

How to verify the HSTS header has been cached?

  1. Use curl to receive the header information:
    $ curl -I http://cdn.keycdn.com/assets/script.js
    HTTP/1.1 200 OK
    Server: nginx
    Date: Mon, 15 Sep 2014 15:00:39 GMT
    Content-Type: application/javascript; charset=utf-8
    Content-Length: 8815
    Connection: keep-alive
    Last-Modified: Mon, 01 Sep 2014 19:07:37 GMT
    Vary: Accept-Encoding
    ETag: "5404c3f9-226f"
    Strict-Transport-Security: max-age=31536000; includeSubDomains
    Expires: Tue, 15 Sep 2015 20:49:39 GMT
    Cache-Control: max-age=31556940
    X-Cache: HIT
    X-Edge-Location: defr
    Accept-Ranges: bytes
    
  2. Simply check it with Qualys SSL Labs:
    HSTS

Summary

HSTS, coupled with the Force SSL feature, offers an effective implementation of SSL. The main benefit is the awareness of the browser that you expect a secure connection. Further does HSTS mitigates the risk of man-in-the-middle attacks by providing an option to enforce the use of TLS by the browser. KeyCDN recommends to implement the HSTS on your origin server in combination with the Force SSL feature of your content delivery zone.

Related Articles

HSTS Complements the Force SSL Feature was last modified: April 25th, 2016 by Sven Baumgartner
Share This