{"id":1784,"date":"2017-01-30T08:13:16","date_gmt":"2017-01-30T08:13:16","guid":{"rendered":"https:\/\/lineo.es\/guia-hsts-seguridad-web\/"},"modified":"2026-04-01T07:15:38","modified_gmt":"2026-04-01T07:15:38","slug":"hsts","status":"publish","type":"post","link":"https:\/\/lineo.es\/en\/hsts\/","title":{"rendered":"HTTP Strict Transport Security (HSTS)"},"content":{"rendered":"\t\t
\n\t\t\t\t
\n\t\t\t\t\t
\n\t\t
\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

HTTP Strict Transport Security (HSTS)<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t
\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

Just learned about HSTS and started using it. First let me explain HSTS with my own words.<\/p>

Scenario without hsts:<\/h4>
  1. The user types the domain name in the URL bar without the protocol, such as \u201cexample.com\u201d<\/em>, and the browser automatically adds the \u201chttp:\/\/<\/em>\u201d prefix. This first request is vulnerable to Man In The Middle (MITM) attacks.<\/li>
  2. The server replies with a redirection to the secure \u201chttps:\/\/example.com\u201d<\/em>. From the rest of the interaction communication is secure.<\/li>
  3. The next day the user types again \u201cexample.com\u201d in the URL bar. The browser sends again an\u00a0insecure<\/strong>\u00a0HTTP request.<\/li><\/ol>

    Scenario with hsts:<\/h4>
    1. The user types the domain name in the URL bar without the protocol, such as \u201cexample.com\u201d<\/em>, and the browser automatically adds the \u201chttp:\/\/<\/em>\u201d prefix. This first request is vulnerable to Man In The Middle (MITM) attacks.<\/li>
    2. The server replies with a redirection to the secure \u201chttps:\/\/example.com\u201d<\/em>. From the rest of the interaction communication is secure.\u00a0And<\/strong>, the server adds the response header:
      Strict-Transport-Security: max-age=31536000<\/pre>
      This response header instructs the browser to use HTTPS, and asks him to do so for the next 31.536.000 seconds (1 year).<\/p><\/li>
    3. The next day, the user types again \u201cexample.com\u201d in the URL bar. But, the browser remembers, and it uses HTTPS instead of HTTP. And will do so even if the user includes explicitly the prefix \u201chttp:\/\/example.com\u201d.<\/li><\/ol>
      Closing<\/h4>
      So with HSTS the user will only be vulnerable the first time, and not every time she starts a session.<\/p>
      After learning this I have added support for HSTS to my Ansible role for Django deployment. See\u00a0commit<\/a>, and I encourage you to start using HSTS too.<\/p>
      Links:<\/p>