263
edits
Changes
→HTTP Strict Transport Security (HSTS)
* Always uses an https:// connection, even when clicking on an http:// link or after typing a domain into the location bar without specifying a protocol.
* Always uses an https:// connection, even when clicking on an http:// link or after typing a domain into the location bar without specifying a protocol.
* Removes the ability for users to click through warnings about invalid certificates
* Removes the ability for users to click through warnings about invalid certificates
* '''Note:''' HSTS headers set on '''HTTP''' endpoints are '''ignored by most browsers''' due to the potential for malicious headers to be injected, however are recognized on HTTPS endpoints.
===Types of HSTS===
'''Dynamic HSTS''': Dynamic means that the browser has been instructed to enable HSTS by an HTTP response header (served over TLS) similar to the following:
'''Dynamic HSTS''': Dynamic means that the browser has been instructed to enable HSTS by an HTTP response header (served over TLS) similar to the following:
<br><br>
<br><br>
<code>Strict-Transport-Security: max-age=31536000; includeSubDomains; preload</code>
<code>Strict-Transport-Security: max-age=31536000; includeSubDomains; preload</code>
<br><br>
<br><br>
To enable HTTP Strict Transport Security (HSTS) to help the browser secure connections to your service; at least the first of the following two steps should be take, with <code>preload</code> '''only when ready''':
* add the Strict-Transport-Security HTTP header when the site is accessed over HTTPS - this instructs the browser to only request the HTTPS version in future (until the expiration time in the header elapses)
* add your sites to the HSTS preload lists which modern browsers use to automatically redirect HTTP traffic to HTTPS (Chrome’s preload list is included in many of the other browsers’ lists)
===HSTS Considerations===
When moving to HSTS, bear in mind:
When moving to HSTS, bear in mind:
* The policy should be deployed at <nowiki>https://domain.gc.ca</nowiki>, not <nowiki>https://www.domain.gc.ca</nowiki>.
* The policy should be deployed at <nowiki>https://domain.gc.ca</nowiki>, not your HTTP endpoint, nor <nowiki>https://www.domain.gc.ca</nowiki>, added to your .htaccess file.
* In its simplest form, the policy tells a browser to enable HSTS for that exact domain or subdomain, and to remember it for a given number of seconds: <code>Strict-Transport-Security: max-age=31536000;</code> (1 year)
* In its strongest and recommended form, the HSTS policy includes all subdomains, and indicates a willingness to be “preloaded” into browsers, pre-empting the need to visit via unsecure connection first:<code>Strict-Transport-Security: max-age=31536000; includeSubDomains; preload</code>
* All subdomains associated with the parent domain must be fully ready for HTTPS, e.g.: eliminating mixed content. (They do not have to each have their own HSTS policy.)
* All subdomains associated with the parent domain must be fully ready for HTTPS, e.g.: eliminating mixed content. (They do not have to each have their own HSTS policy.)
* When starting with <code>inclSubDomains</code>, it is best to use a very short <code>max-age</code> time (e.g. 5 minutes - 300s) until you are sure your sub-domains are all fully compliant.
* When starting with <code>inclSubDomains</code>, it is best to use a very short <code>max-age</code> time (e.g. 5 minutes - 300s) until you are sure your sub-domains are all fully compliant.
<br>
<Br>
When ready to preload a domain, departments' web teams are recommended to contact their IT Security teams for a review, prior to submitting the domain to the [https://hstspreload.org/ preload list], to ensure it meets the following requirements:
When ready to preload a domain, departments' web teams are recommended to contact their IT Security teams for a review, prior to submitting the domain to the [https://hstspreload.org/ preload list], to ensure it meets the following requirements:
* HTTPS is enabled on the site's root domain (e.g. <nowiki>https://domain.gc.ca</nowiki>), and all subdomains (e.g. <nowiki>https://www.domain.gc.ca</nowiki>) – especially the www subdomain, if a DNS record for it exists. ''This also includes any subdomains in use solely on intranets''.
* HTTPS is enabled on the site's root domain (e.g. <nowiki>https://domain.gc.ca</nowiki>), and all subdomains (e.g. <nowiki>https://www.domain.gc.ca</nowiki>) – especially the www subdomain, if a DNS record for it exists. ''This also includes any subdomains in use solely on intranets''.
<br><br>
<br><br>
Firefox, Safari, Opera, IE11 and Edge also incorporate Chrome’s HSTS preload list, making this feature shared across major browsers.
Firefox, Safari, Opera, IE11 and Edge also incorporate Chrome’s HSTS preload list, making this feature shared across major browsers.
<br>
===HSTS Configuration for Common Web Servers===
===HSTS Configuration for Common Web Servers===
Departments are encouraged to use the [https://mozilla.github.io/server-side-tls/ssl-config-generator/ Mozilla configuration generator] in developing HTST headers, referenced in Section 5, above.
Departments are encouraged to use the [https://mozilla.github.io/server-side-tls/ssl-config-generator/ Mozilla configuration generator] in developing HTST headers, referenced in Section 5, above.
<br>
===HSTS Configuration for WordPress===
For Wordpress, add the header info to the functions.php file.
<br>
<br>
===Additional References===
===Additional References===
# [https://github.com/cisagov/pshtt#hsts CISAGOV-pshtt (Github)] - fully explains HSTS measurement by domain-scan
# [https://tools.ietf.org/html/rfc6797 HSTS Spec (IETF)]
# [https://tools.ietf.org/html/rfc6797 HSTS Spec (IETF)]
# [https://mozilla.github.io/server-side-tls/ssl-config-generator/ Mozilla Configuration Generator]
# [https://mozilla.github.io/server-side-tls/ssl-config-generator/ Mozilla Configuration Generator]