@rkenmi - Web Backend Security Headers -3. HSTS

Web Backend Security Headers -3. HSTS


Web Backend Security Headers -3. HSTS


Back to Top

Updated on March 14, 2021

Table of Contents

Web Backend Security Headers

  1. CSP Headers
  2. CSRF Headers
  3. HSTS
  4. X-Frame-Options and X-XSS-Protection
  5. DNS records and SPF

Background

HTTP Strict Transport Security (HSTS) is a web security policy mechanism that helps to protect websites against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking.

Usage

A server implements an HSTS policy by supplying a header over an HTTPS connection (HSTS headers over HTTP are ignored). For example, a server could send a header such that future requests to the domain for the next year (max-age is specified in seconds; 31,536,000 is equal to one non-leap year) use only HTTPS: Strict-Transport-Security: max-age=31536000.

How it works

HSTS allows web servers to declare that web browsers only use HTTPS, and not HTTP. This is because HTTPS uses TLS/SSL to do secure handshakes, which guarantees that the client and server both have verified each other's identity.

Source of Usage

Typically HSTS is defined at the top-level domain through a load balancer or reverse proxy.

Coming up next

Next, we'll take a look at X-Frame-Options and X-XSS-Protection


Article Tags:
backendwebsecurityhstsunlisted