What is HSTS? Why Should I use it?

1 Star2 Stars3 Stars4 Stars5 Stars (3 votes, average: 5.00 out of 5)

HTTP Strict Transport Security makes your SSL implementation even safer.

Let’s talk about HTTP Strict Transport Security or HSTS. Even though I generally don’t trust acronyms, HSTS is ok. That’s because it closes a window that hackers could exploit, that window is sometimes called an attack vector.

The attack vector is a cool term. It sounds like something out of Star Wars. And actually, that’s not a bad analogy. Think of SSL as the death star’s defenses. You’ve got this whole big death star covered in turrets and whatever other space crap you could throw on there to keep it safe. Unfortunately, when they were having the meeting during the planning phase, nobody said, “hey there’s this little vent that you could technically force-guide a torpedo down and blow this whole thing up.”

HSTS effectively shuts that vent.

What is HSTS?

HSTS is a web header that forces browsers to only make secure connections with a given site. Once it’s been downloaded by the browser, it enforces secure connections for the specified amount of time.

This is important because despite installing SSL and migrating to HTTPS there are still vulnerabilities that can be exploited. Specifically, downgrade attacks where a hacker can redirect a user to a non-secure page.

By adding an HSTS header, you can avoid this.

What is the HSTS preload list?

The HSTS preload list is managed by Google and contains a list of websites with the HSTS header active. The advantage of the preload list is that your browser will already have the HSTS header before it connects to the website for the first time.

This effectively eliminates another attack vector, because on the first visit, before the header is downloaded, a user is still vulnerable.

Getting added to the preload list is easy, its a single line of code (including the word “preload”) that goes right beside the HSTS header. After that’s added, simply head over to Google’s sign up page and add yourself to the list. The HSTS preload list is updated every time a new browser version releases.

Final Thoughts

We recommend setting up HSTS. It makes your SSL implementation more secure by closing a couple of key attack vectors. Best of all, it’s quick, easy and FREE.

So what are you waiting for?

Stay Cautious, my friends

Wan to clear the HSTS settings in your browser? Here’s how to do it.


Clear HSTS Settings in Firefox

  • First of all, close all open tabs in Firefox
  • Now open the history window by pressing Ctrl + Shift + H (Cmd + Shift + H on Mac). You must use this window or the sidebar for the below options to be available
  • Search and find the site for which you want to delete HSTS settings
  • Now, right-click on the site and then click Forget About This Site. Once done, the HSTS settings and other cache stored for that site should get cleared
  • Restart Firefox and visit the site


Clear HSTS Settings in Chrome

  • First, type chrome://net-internals/#hsts in the address bar
  • In the text field, search for the domain name for which you want to delete HSTS settings
  • Press the Delete button
  • To make sure that HSTS settings have been deleted, type your domain name in the text field located below Query domain
  • Click on the Query If the response is ‘Not Found,’ your HSTS settings have been cleared successfully

Clear HSTS Settings in Safari

  • First, close Safari
  • Delete the ~/Library/Cookies/HSTS.plist file
  • Last, reopen Safari.