HTTPS Strict Transport Security (HSTS) is a proposed mechansim for websites to communicate to the browser that all embedded content, such as images and Ajax requests, on a https-encrypted webpage should be accessed via https as well. The browser, in turn, should take note of this request and should ensure, and change if neccessary, that all connections to the website are via https.
- Browser navigates to a HSTS website via HTTPS.
- The HSTS website responds with the requested content. In its HTTP Response, there is a HTTP header “Strict-Transport-Security”, which would indicate to the browser that it is a HSTS website and also specify the duration for which this header is valid via the “max-age” attribute. The maximum value for “max-age” is 778000 sec = 90 days
- The browser will take note and remember this website as HSTS. During the valid duration, the browser would check that all HTTP connections to the website are via HTTPS and modifies if necessary, i.e. change “http://abc.com/myimage.png” to “https://abc.com/myimage.png”. In addition, if there are any errors in accessing the content via HTTPS, such as an invalid SSL Cert, the request would fail.
Note that HTTPS Strict Transport Security was designed as a second line of defense in case of human (programming) errors, to mitigate the risks of passive attacks (packet sniffing), by ensuring that all sensitive data such as cookies are transmitted through secured channels. HSTS is not designed to protect against active hackers; you’ll still need your standard security tools – firewalls, anti-viruses – for that.
Browsers that support HSTS include Google Chrome and Firefox. The NoScript Firefox extension also enforces HSTS for (older versions of) Firefox.
An example of a website that supports HSTS is Paypal: