Difference between revisions of "GC HTTPS HSTS"
(Created page with "==HTTP Strict Transport Security (HSTS)== HSTS is a simple and widely supported standard to protect visitors by ensuring that their browsers always connect to a website over H...") |
|||
(10 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
+ | |||
==HTTP Strict Transport Security (HSTS)== | ==HTTP Strict Transport Security (HSTS)== | ||
HSTS is a simple and widely supported standard to protect visitors by ensuring that their browsers always connect to a website over HTTPS. HSTS exists to remove the need for the common, insecure practice of redirecting users from http:// to https:// URLs. | HSTS is a simple and widely supported standard to protect visitors by ensuring that their browsers always connect to a website over HTTPS. HSTS exists to remove the need for the common, insecure practice of redirecting users from http:// to https:// URLs. | ||
Line 7: | Line 8: | ||
* Always uses an https:// connection, even when clicking on an http:// link or after typing a domain into the location bar without specifying a protocol. | * Always uses an https:// connection, even when clicking on an http:// link or after typing a domain into the location bar without specifying a protocol. | ||
* Removes the ability for users to click through warnings about invalid certificates | * Removes the ability for users to click through warnings about invalid certificates | ||
− | + | * '''Note:''' HSTS headers set on '''HTTP''' endpoints are '''ignored by most browsers''' due to the potential for malicious headers to be injected, however are recognized on HTTPS endpoints. | |
− | + | ||
+ | ===Types of HSTS=== | ||
+ | '''Dynamic HSTS''': Dynamic means that the browser has been instructed to enable HSTS by an HTTP response header (served over TLS) similar to the following: | ||
+ | <br><br> | ||
+ | <code>Strict-Transport-Security: max-age=31536000; includeSubDomains;</code> | ||
+ | <br><br> | ||
+ | This is vulnerable to an attack whereby the very first time the browser requests the domain with http:// (not https://) an adversary intercepts the communication. | ||
+ | <br><br> | ||
+ | '''Static HSTS''': In order to overcome this weakness we have the static mode which allows for hard-coding HSTS records directly into the browser's source. The header is changed to indicate the administrator's intention - note the inclusion of preload at the end: | ||
<br><br> | <br><br> | ||
− | + | <code>Strict-Transport-Security: max-age=31536000; includeSubDomains; preload</code> | |
<br><br> | <br><br> | ||
+ | To enable HTTP Strict Transport Security (HSTS) to help the browser secure connections to your service; at least the first of the following two steps should be take, with <code>preload</code> '''only when ready''': | ||
+ | * add the Strict-Transport-Security HTTP header when the site is accessed over HTTPS - this instructs the browser to only request the HTTPS version in future (until the expiration time in the header elapses) | ||
+ | * add your sites to the HSTS preload lists which modern browsers use to automatically redirect HTTP traffic to HTTPS (Chrome’s preload list is included in many of the other browsers’ lists) | ||
+ | |||
+ | ===HSTS Considerations=== | ||
When moving to HSTS, bear in mind: | When moving to HSTS, bear in mind: | ||
− | * The policy should be deployed at <nowiki>https://domain.gc.ca</nowiki>, not <nowiki>https://www.domain.gc.ca</nowiki>. | + | * The policy should be deployed at <nowiki>https://domain.gc.ca</nowiki>, not your HTTP endpoint, nor <nowiki>https://www.domain.gc.ca</nowiki>, added to your .htaccess file. |
+ | * In its simplest form, the policy tells a browser to enable HSTS for that exact domain or subdomain, and to remember it for a given number of seconds: <code>Strict-Transport-Security: max-age=31536000;</code> (1 year) | ||
+ | * In its strongest and recommended form, the HSTS policy includes all subdomains, and indicates a willingness to be “preloaded” into browsers, pre-empting the need to visit via unsecure connection first:<code>Strict-Transport-Security: max-age=31536000; includeSubDomains; preload</code> | ||
* All subdomains associated with the parent domain must be fully ready for HTTPS, e.g.: eliminating mixed content. (They do not have to each have their own HSTS policy.) | * All subdomains associated with the parent domain must be fully ready for HTTPS, e.g.: eliminating mixed content. (They do not have to each have their own HSTS policy.) | ||
* When starting with <code>inclSubDomains</code>, it is best to use a very short <code>max-age</code> time (e.g. 5 minutes - 300s) until you are sure your sub-domains are all fully compliant. | * When starting with <code>inclSubDomains</code>, it is best to use a very short <code>max-age</code> time (e.g. 5 minutes - 300s) until you are sure your sub-domains are all fully compliant. | ||
− | < | + | <Br> |
− | |||
− | |||
− | |||
− | |||
When ready to preload a domain, departments' web teams are recommended to contact their IT Security teams for a review, prior to submitting the domain to the [https://hstspreload.org/ preload list], to ensure it meets the following requirements: | When ready to preload a domain, departments' web teams are recommended to contact their IT Security teams for a review, prior to submitting the domain to the [https://hstspreload.org/ preload list], to ensure it meets the following requirements: | ||
− | * HTTPS is enabled on the site's root domain (e.g. <nowiki>https://domain.gc.ca</nowiki>), and all subdomains (e.g. <nowiki>https://www.domain.gc.ca</nowiki>) – especially the www subdomain, if a DNS record for it exists. 'This also includes any subdomains in use solely on intranets'. | + | * HTTPS is enabled on the site's root domain (e.g. <nowiki>https://domain.gc.ca</nowiki>), and all subdomains (e.g. <nowiki>https://www.domain.gc.ca</nowiki>) – especially the www subdomain, if a DNS record for it exists. ''This also includes any subdomains in use solely on intranets''. |
* The HSTS policy includes all subdomains (<code>inclSubDomains</code>), with a long <code>max-age</code> (at least 1 year = 31536000s), and a header <code>preload</code> flag to indicate that the domain owner consents to preloading. | * The HSTS policy includes all subdomains (<code>inclSubDomains</code>), with a long <code>max-age</code> (at least 1 year = 31536000s), and a header <code>preload</code> flag to indicate that the domain owner consents to preloading. | ||
* The website redirects from HTTP to HTTPS, at least on the site's root domain. | * The website redirects from HTTP to HTTPS, at least on the site's root domain. | ||
Line 30: | Line 42: | ||
Firefox, Safari, Opera, IE11 and Edge also incorporate Chrome’s HSTS preload list, making this feature shared across major browsers. | Firefox, Safari, Opera, IE11 and Edge also incorporate Chrome’s HSTS preload list, making this feature shared across major browsers. | ||
<br> | <br> | ||
+ | |||
===HSTS Configuration for Common Web Servers=== | ===HSTS Configuration for Common Web Servers=== | ||
− | Departments are encouraged to use the Mozilla configuration generator in developing HTST headers, referenced in Section 5, above. | + | Departments are encouraged to use the [https://mozilla.github.io/server-side-tls/ssl-config-generator/ Mozilla configuration generator] in developing HTST headers, referenced in Section 5, above. |
+ | <br> | ||
+ | |||
+ | ===HSTS Configuration for WordPress=== | ||
+ | For Wordpress, add the header info to the functions.php file. | ||
<br> | <br> | ||
+ | |||
===HSTS and Cookies=== | ===HSTS and Cookies=== | ||
When locking in the use of HTTPS through HSTS, cookies should be set with the Secure flag. The scope of the domain and path of the cookies should be set as restrictively as possible. This can help minimize damage from cross-site scripting (XSS) vulnerabilities, as cookies often contain session identifiers or other sensitive information. | When locking in the use of HTTPS through HSTS, cookies should be set with the Secure flag. The scope of the domain and path of the cookies should be set as restrictively as possible. This can help minimize damage from cross-site scripting (XSS) vulnerabilities, as cookies often contain session identifiers or other sensitive information. | ||
Line 38: | Line 56: | ||
* <code>__Secure-</code> prefix should be used for all cookies sent from secure origins (such as HTTPS). | * <code>__Secure-</code> prefix should be used for all cookies sent from secure origins (such as HTTPS). | ||
<br> | <br> | ||
+ | |||
===Additional References=== | ===Additional References=== | ||
+ | # [https://github.com/cisagov/pshtt#hsts CISAGOV-pshtt (Github)] - fully explains HSTS measurement by domain-scan | ||
# [https://tools.ietf.org/html/rfc6797 HSTS Spec (IETF)] | # [https://tools.ietf.org/html/rfc6797 HSTS Spec (IETF)] | ||
+ | # [https://mozilla.github.io/server-side-tls/ssl-config-generator/ Mozilla Configuration Generator] | ||
# [https://hstspreload.org/ HSTS Preload] | # [https://hstspreload.org/ HSTS Preload] | ||
# [https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet OWASP HSTS Cheat Sheet] | # [https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet OWASP HSTS Cheat Sheet] |
Latest revision as of 15:01, 4 November 2019
HTTP Strict Transport Security (HSTS)
HSTS is a simple and widely supported standard to protect visitors by ensuring that their browsers always connect to a website over HTTPS. HSTS exists to remove the need for the common, insecure practice of redirecting users from http:// to https:// URLs.
HSTS is also highly valuable as an organizational forcing function and compliance mechanism. When a domain owner sets an HSTS policy on its base domain with includeSubDomains
and preload
, the domain owner is saying '"Every part of our web infrastructure is HTTPS, and always will be."'
When a browser knows that a domain has enabled HSTS, it does two things:
- Always uses an https:// connection, even when clicking on an http:// link or after typing a domain into the location bar without specifying a protocol.
- Removes the ability for users to click through warnings about invalid certificates
- Note: HSTS headers set on HTTP endpoints are ignored by most browsers due to the potential for malicious headers to be injected, however are recognized on HTTPS endpoints.
Types of HSTS
Dynamic HSTS: Dynamic means that the browser has been instructed to enable HSTS by an HTTP response header (served over TLS) similar to the following:
Strict-Transport-Security: max-age=31536000; includeSubDomains;
This is vulnerable to an attack whereby the very first time the browser requests the domain with http:// (not https://) an adversary intercepts the communication.
Static HSTS: In order to overcome this weakness we have the static mode which allows for hard-coding HSTS records directly into the browser's source. The header is changed to indicate the administrator's intention - note the inclusion of preload at the end:
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
To enable HTTP Strict Transport Security (HSTS) to help the browser secure connections to your service; at least the first of the following two steps should be take, with preload
only when ready:
- add the Strict-Transport-Security HTTP header when the site is accessed over HTTPS - this instructs the browser to only request the HTTPS version in future (until the expiration time in the header elapses)
- add your sites to the HSTS preload lists which modern browsers use to automatically redirect HTTP traffic to HTTPS (Chrome’s preload list is included in many of the other browsers’ lists)
HSTS Considerations
When moving to HSTS, bear in mind:
- The policy should be deployed at https://domain.gc.ca, not your HTTP endpoint, nor https://www.domain.gc.ca, added to your .htaccess file.
- In its simplest form, the policy tells a browser to enable HSTS for that exact domain or subdomain, and to remember it for a given number of seconds:
Strict-Transport-Security: max-age=31536000;
(1 year) - In its strongest and recommended form, the HSTS policy includes all subdomains, and indicates a willingness to be “preloaded” into browsers, pre-empting the need to visit via unsecure connection first:
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
- All subdomains associated with the parent domain must be fully ready for HTTPS, e.g.: eliminating mixed content. (They do not have to each have their own HSTS policy.)
- When starting with
inclSubDomains
, it is best to use a very shortmax-age
time (e.g. 5 minutes - 300s) until you are sure your sub-domains are all fully compliant.
When ready to preload a domain, departments' web teams are recommended to contact their IT Security teams for a review, prior to submitting the domain to the preload list, to ensure it meets the following requirements:
- HTTPS is enabled on the site's root domain (e.g. https://domain.gc.ca), and all subdomains (e.g. https://www.domain.gc.ca) – especially the www subdomain, if a DNS record for it exists. This also includes any subdomains in use solely on intranets.
- The HSTS policy includes all subdomains (
inclSubDomains
), with a longmax-age
(at least 1 year = 31536000s), and a headerpreload
flag to indicate that the domain owner consents to preloading. - The website redirects from HTTP to HTTPS, at least on the site's root domain.
Note: While preloading a domain is an easy proposition, backing out of preloaded status is not a simple task; be sure you are ready and want to preload your domain prior to doing so. Please ensure you read all of the details here before preloading. GC.ca will not be preloaded until such time that all subdomain (https://domain.gc.ca) sites are HTTPS and have HSTS enabled.
Firefox, Safari, Opera, IE11 and Edge also incorporate Chrome’s HSTS preload list, making this feature shared across major browsers.
HSTS Configuration for Common Web Servers
Departments are encouraged to use the Mozilla configuration generator in developing HTST headers, referenced in Section 5, above.
HSTS Configuration for WordPress
For Wordpress, add the header info to the functions.php file.
HSTS and Cookies
When locking in the use of HTTPS through HSTS, cookies should be set with the Secure flag. The scope of the domain and path of the cookies should be set as restrictively as possible. This can help minimize damage from cross-site scripting (XSS) vulnerabilities, as cookies often contain session identifiers or other sensitive information.
- Cookie names may be prepended with
__Secure-
to prevent cookies from being overwritten by insecure sources; __Secure-
prefix should be used for all cookies sent from secure origins (such as HTTPS).
Additional References
- CISAGOV-pshtt (Github) - fully explains HSTS measurement by domain-scan
- HSTS Spec (IETF)
- Mozilla Configuration Generator
- HSTS Preload
- OWASP HSTS Cheat Sheet
- OWASP Secure Cookie page
- Browser support for HSTS
- HSTS web developer documentation maintained by the Mozilla community
- HSTS Cheat Sheet (Scott Helme)