Categories
Internet and Networking

What Is HTTP Strict Transport Security: A Non-Technical Intro

Recognized mainly by its abbreviated form HSTS, an HTTP Strict Transport Security instructs the browser that a specific website should only load via HTTPS, and never HTTP.

This command to the browser comes from the website implementing the HSTS protocol/standard.

How Does HSTS (HTTP Strict Transport Security) Work?

At the end of the day, HSTS is a response header that is sent to the browser. When the browser reads this header while deciphering which site/domain it’s supposed to load, it knows to always show the website with an HTTPS connection.

This holds true even when trying to access the site with HTTP or without specifying any protocol such as–> example.com. (We can see that neither http:// or https:// is mentioned in example.com).

Specifically & primarily, HSTS came to fruition to solve the pervading insecure practice of redirecting HTTP URLs to HTTPS URLs. To the user, the final destination would be an HTTPS URL; however, the act of redirecting is extremely precarious and can open up the site for cyber attacks.

As an example, while the redirect is taking place, a malicious actor can capture cookie information or even route you to a different website altogether for phishing. The point is, even if HTTP is used for a very-very-short period of time — and even if it redirects to HTTPS, it makes the site vulnerable, and the request to it can be intercepted for man-in-the-middle attacks.

What Is the Significance of HSTS?

significance of hsts
Significance of HSTS.

The fundamental significance is that it converts — different than redirecting — all connections to HTTPS, when turned on.

Another way to think about it is that it forces to use HTTPS connection if available. Why? Because it provides protection against a site being susceptible to online snooping and or cyber hacks.

HSTS Preloading and First Time Visits

Generally speaking, HSTS is enforced only when a site/domain is connected via HTTPS at least once. Until then, all non-secure attempts can be exploited.

To alleviate this pain point, websites can preload HSTS using a service by Google. And while it is not part of the official HSTS specification, the practice is so common that many browsers say they would support the preload or intend to do so.

Translated, preloading Strict Transport Security means that HSTS will be on even for the very first visit with non HTTPS.

Which Browsers Accept HSTS Standard?

According to MDN Web Docs, almost all browsers support HSTS in some manner, except for the unknown compatibility for the Opera browser for Android devices.

list of browsers that are compatible with HSTS
List of browsers that are compatible with HSTS. Screenshot captured from MDN Web Docs.

You May Also Want to Check Out:

Summary

HSTS or HTTP Strict Transport Security is an innovative and purposeful standard that can force browsers to connect with websites only with HTTPS.

This way, site users are safeguarded more against cybercriminals and wrongdoers that wait for a window of opportunity to exploit lackluster domain security.

When looking closely, HSTS was precisely designed to shield against redirects from non-secure HTTP to secure HTTPS.

Expert sources