Add HTTP Strict Transport Security in Apache & Nginx

HSTS (HTTP Strict Transport Security) is a security protocol that force the use of SSL in the comunication between the web browser and the web server. This standard is recently approved (2 october 2012) by the IETF, but the first draft was released in 2010 and it was implemented in some sites like Paypal, Android market, DEF CON website… The motivation of HSTS is to mitigate the SSLStrip attacks, introduced by Moxie Marlinspike in Black Hat conference 2009. SSLStrip consist in a https session hijacking, forcing a https connection becomes a normal http allowing to the attacker read all data sent from the victim. Basically it follows three steps:

• Victim establishes a HTTP connection with attacker machine.
• The attacker transforms the http traffic from the victim to https.
• The attacker establishes the https connection with the real web server.

Configuring HSTS the web server informs to the web browser that connections to the site should always use SSL. Actually the web browser that supports the HSTS headers are Google chrome from 4.0.211.0 version, Firefox from 4 version and Opera from 12 version.
HSTS has a limitation resides in the initial request from the web browser and can be exploited by an attacker, for this reason it’s important to setup a high value for the HSTS expiration value.

Apache implementation

– Load the mod_headers module to allow modify the http headers:

– Add in our vhost statement or in your main apache config file, the next line with an expiration of 6 months including the requests for all the subdomains:

Nginx implementation

Capturing HTTP headers from the server with tcpdump

HTTP Strict Transport Security or HSTS is a new security feature in browsers that enables you tell the browser “always use SSL when accessing this site”.

Mozilla has a good blog post explaining HSTS, so I won’t try to replicate that here, but I’d just like to make it clear that if you have a site that should always use SSL, be it Drupal or Django or any other system, this is definitely something you should get set up.

Good examples of these are webmail, server administration and monitoring tools and general admin backends. If you are running a large Drupal-site, you should perhaps consider restricting admin-access to a SSL-protected subdomain.

Currently, it is only supported in Chrome 4 and above, and Firefox 4 beta 5 and beyond, but hopefully the other browser makers will catch up soon. Its fully backwards compatible, in that it will have no effect if the browser does not support HSTS.

How to use it

Setting it up is very simple. In your Apache VHost, where you do your SSL config, just add this line:

Header add Strict-Transport-Security “max-age=15768000”
This will tell the browser to remember that this site is SSL/HTTPS only for the next 6 months. During that time it will simply rewrite any and all requests to that site to use HTTPS instead of HTTP without ever communicating insecurely with the server.

If you use nginx, the syntax is subtly different. Adding this to the server section does the trick:

add_header Strict-Transport-Security max-age=15768000;
Keep your redirects

An important point is that HSTS only works after the user has received the header via HTTPS. So you will still need to have a redirect from your HTTP-site to HTTPS, also for supporting browsers that still do not understand HSTS.

This is easily accomplished using Apache’s mod_rewrite:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

Thus, with a few lines of configuration, you can make the web a safer place to be for your users. So, what are you waiting for?