No security technology stands a chance in the world of coporate IT without its own important preferably mildly recursive acronym. HSTS (HTTP Strict Transport Security) is no exception. While being little more than a simpe http protocol header you need to add to secured websites, it could save your users from a potential world of hurt.
Adding HSTS to a website means the addition of a single http header to be sent with every request made to your server. This header does one simple thing: it tells your browser that -yes- this website is to be accessed over https and *only* over https from now until some predetermined time (which you can set) in the future.
So what does this save you from?
At first glance you may think you haven't seen anything that can't be done using a plain and simple forced 301 redirect to force https onto all of your url's. You should, in fact, keep doing that too. However: how is a visitor to know that your website should be accessed over https instead of plain http? Do you loudly advertise this fact within the content of each and every page of your site? You don't? Thought so.. nobody's that crazy.
Now consider the following scenario. You, being the average Joe Websurfer, use the same password on just about every site you ever registered to. Me, being a nefarious no-good blackhat hacker terrorist, I want the password to your Facebook to post embarrassing pics on your wall and wreak all manner of assorted havoc in your name both there and everywhere else you have an account. Like maybe even your workplace!
One way to go about this, is to phish you using a trick called SSL stripping. To make this work effectively I have to deploy a reverse proxy server and manage to poison your DNS resolution. This proxy exposes the Facebook site to you over plain http, while it negotiates the actual login over https on its other end. You, hapless victim, would presumably not notice the fact that Facebook's login page is now using plain http. Hey, your login succeeded and your Facebook is working like it always has. It may even be a little faster than you're used to.
Meanwhile my proxy, in its role of man-in-the-middle, intercepted your username and password and conveniently emailed it to me. You would be none the wiser until your wall turns into an involuntary Barbara Streisand fan-fest. Simply because both my phishing site and the official Facebook URL would still work for you and no alarms would sound when you're visiting my plain http phishing funnel. This trick saves me the enormous hassle of needing to fake an actual SSL certificate.
Cut out the middle man
The HSTS header informs your browser that the secure website you visit today will remain a secure site. For example: you visit your company's webmail site which advertises itself as "https for at least the next 2 years". Now, I try my stripped man-in-the-middle proxy trick on you, your browser will ring all manner of alarms. The reason? It has your company's webmail flagged as a mandatory https-website. If it suddenly isn't anymore, then that's hugely suspicious and modern browsers will complain.
Using Apache, this is what you add to any <VirtualHost> block for a secure site:
<VirtualHost *:443>
Header always set Strict-Transport-Security "max-age=31556926; includeSubDomains"
...
</VirtualHost>
Header always set Strict-Transport-Security "max-age=31556926; includeSubDomains"
...
</VirtualHost>
The max-age attribute is counted in seconds, with the example being the value you'd put in for a year. Personally I think that's hugely ridiculous because this setting is only really useful when measured in weeks at the very least. Yet, control freaks will be control freaks.. can't be helped I guess.
from http://www.area536.com/projects/keep-your-https-site-secure-using-hsts/
