HTTP Strict Transport Security (HSTS)

Site upgrades to a secure connection.

Impact

(How ScanGov measures tasklist priorities.)

Why it's important

HSTS is a security feature that ensures a website is only accessible over HTTPS. It helps to prevent man-in-the-middle attacks, such as protocol downgrade attacks, by enforcing that browsers always communicate with the server over a secure connection. Without HSTS, an attacker could intercept traffic on a non-secure connection and compromise user data.

User stories

As a site visitor, I want the website to automatically redirect to HTTPS and prevent any connection via HTTP so that my data is always encrypted and secure during transmission.

Error

(ScanGov messaging when a site fails a standard)

Secure connection upgrade not enforced.

Guidance

All government websites must have HSTS.

M-15-13:

Strict Transport Security: Websites and services available over HTTPS must enable HTTP Strict Transport Security (HSTS)12 to instruct compliant browsers to assume HTTPS going forward. This reduces the number of insecure redirects, and protects users against attacks that attempt to downgrade connections to plain HTTP. Once HSTS is in place, domains can be submitted to a “preload list”13 used by all major browsers to ensure the HSTS policy is in effect at all times.

CIO.gov:

The policy should be deployed at https://domain.gov, not https://www.domain.gov.

About

HTTP Strict Transport Security is a security feature that:

  • Forces web browsers to use HTTPS instead of HTTP.
  • Protects against downgrade attacks and cookie hijacking.
  • Specifies a period during which the browser should enforce HTTPS for the site.

Key points:

  • Activated by the server through a response header (Strict-Transport-Security).
  • Helps improve website security by ensuring encrypted connections.

Code

Example header:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Guidance

Indicator

Feedback