Chapter 2. HTTP Strict-Transport-Security
Based on recent conference talks and development in technology, we see that society is moving towards secure end user experiences. The examples of service workers and HTTP/2 working strictly over HTTPS demonstrates this movement; additionally, Google announced in late 2015 that their indexing system would now prefer indexing HTTPS URLs over HTTP URLs to motivate developers to move to HTTPS. Generally, the quick fix solution here is to enforce an HTTP to HTTPS redirect for the end user; however, this still leaves the end user open to man-in-the-middle (MITM) attacks in which a malicious end user can manipulate the incoming response or outgoing request over a nonsecure HTTP connection. Furthermore, the redirect method adds an additional request that further delays subsequent resources from loading in the browser. Let’s explore how HTTP Strict-Transport-Security (HSTS), a frontend security technique, can address these issues.
What Is HSTS?
The HTTP Strict-Transport-Security (HSTS) header is a security technique that enforces the browser to rewrite HTTP requests into HTTPS requests, for a secure connection to the origin servers during site navigation. From HTTP Archive, 56% of base pages are using the HTTP Strict-Transport-Security technique and this number will continue to grow as HTTPS adoption continues to grow. Not only does this header provide browser-level security, but it also proves to be a frontend optimization technique to improve ...
Get Security and Frontend Performance now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
