Based on recent conference talks and development in technology, we see that society is moving towards secure end user experiences. The examples of service workers and HTTP/2 working strictly over HTTPS demonstrates this movement; additionally, Google announced in late 2015 that their indexing system would now prefer indexing HTTPS URLs over HTTP URLs to motivate developers to move to HTTPS. Generally, the quick fix solution here is to enforce an HTTP to HTTPS redirect for the end user; however, this still leaves the end user open to man-in-the-middle (MITM) attacks in which a malicious end user can manipulate the incoming response or outgoing request over a nonsecure HTTP connection. Furthermore, the redirect method adds an additional request that further delays subsequent resources from loading in the browser. Let’s explore how
HTTP Strict-Transport-Security (HSTS), a frontend security technique, can address these issues.
HTTP Strict-Transport-Security (HSTS) header is a security technique that enforces the browser to rewrite HTTP requests into HTTPS requests, for a secure connection to the origin servers during site navigation. From HTTP Archive, 56% of base pages are using the
HTTP Strict-Transport-Security technique and this number will continue to grow as HTTPS adoption continues to grow. Not only does this header provide browser-level security, but it also proves to be a frontend optimization technique to improve ...