Four years ago, Google formally implemented a security policy called HTTP Strict Transport Security (HSTS). Shortly after, highly prestigious social networks (Facebook, Twitter, Gmail ...) and payment portals such as PayPal, incorporated HSTS to the SSL of their platforms. With this action, multimillion dollar companies sent a message to the world about the importance of integrate HSTS to a security certificate.
At that time, many wondered how Strict Transport Security worked and why it was so important to implement this security standard on a website. After the need to understand what the HSTS was about, we discovered that its main purpose was ensure the connection between users and web servers.
Integrating HSTS into a security certificate: How, when and why to implement it?
Currently, Strict Transport Security is more current than ever, it has become an essential element for online platforms. Many businesses are on the Internet, it is normal to want know if your website is safe and secure of attacks.
For this and other reasons, in this article we want to highlight the importance of integrate HSTS to a security certificate. Although, for this, it is essential to first know what an SSL certificate is and how Strict Transport Security works.
What is SSL certificate?
A Secure Socket Layer certificate (or SSL) is a kind of digital code that connects a company to an Internet domain name. It is the equivalent of a property right that an organization obtains to use land.
The use of this certificate reveals to web browsers that it is only possible to enter the page through a secure connection.
In fact, identify a website with SSL certificate Valid is very easy: just take a look at the address bar where a padlock symbol should appear accompanied by the name of the organization and the HTTPS protocol.
The HTTPS protocol is a ranking element in Google that gives a website the distinction of “five stars”. For example, a page with SSL could be interpreted as a secure, fast and mobile responsive portal.
However, just because a website has an SSL certificate does not mean that the portal is completely safe for visitors. We explain why.
In a physical context, we could say that the certificate acts as a security guard located at the entrance of a store. Normally, this guard is able to stop many threats at the gate, but unfortunately, he will not be able to provide protection to the place if some malicious visitor finds another way to gain access.
It is precisely at this point where the decision to integrate HSTS to a security certificate it would not be for pleasure. And it is that the role of Strict Transport Security in this case would be to force everyone to access the store through a single entrance.
What is it HSTS?
It is a security policy that allows different websites to be named as a navigable space through secure connections (HTTPS). The HSTS standard protects both web portals and users against possible protocol degradation and cyber attacks to hijack cookies.
Therefore, if a web page implements an HSTS policy, the browser should automatically deny HTTP connections and prevent users from approving insecure SSL certificates.
In short words; the objective of this security policy is avoid attacks of intermediaries using SSL.
Today you can integrate HSTS to a security certificate without problems because it is compatible with almost all the browsers that we know.
Why should you implement HSTS on your company website?
Suppose you have a physical store, as the owner or manager of the business, we are sure that you will never close the doors of the store without padlocking the doors. In fact, it would not be surprising that you also place metal detectors at the entrance to prevent visitors from entering with the intention of taking your products.
In this way, your website data is as valuable as the products in your physical store, so it is very important to keep them safe under lock.
Do you wanna know the truth? Blocking your company's website is sometimes not enough because there are those who find a way to access the site through http: //. In this case, HSTS requires visitors and application connections to use HTTPS.
Therefore, at integrate HSTS to a security certificate or having a Strict-Transport-Security header installed in your browser will make it virtually impossible for users with aspirations to steal your website data to collect information.
Keys to how the HSTS policy works
- The HSTS policy transforms each non-secure request into HTTPS-protected requests. Thus, the confidential information exchanged between the server and the user will be protected by encryption.
- To install this measure it is necessary to have a SSL certificate valid for the domain name and embed a Strict-Transport-Security header (HSTS header).
- A header is a file that is installed in the domain and requires the browser secure connections from the first connection. How? Letting you know that the browser will continue once it interacts with the domain.
- The standards set by the HSTS header will ensure that in the browser cannot access the unsafe version (HTTP) of the website in a period of time.
Conclusions
Having analyzed the role of the Strict Transport Security policy in keeping user and web server data safe, it is worth asking, is it worth it? integrate HSTS to a security certificate? Yes, of course.
Deploying is an action very important. With an SSL certificate there are still ways to get in to explore the website. For example, there are cyber criminals who use 301 redirects to send traffic to the HTTPS versions of their original HTTP pages.
Therefore, not installing Strict Transport Security is like putting a huge padlock on your store door, but leaving an advantage without a lock or key. Although it would be a mistake to claim that the HSTS standard fully shields your website against data interception, they would not make it easy for hackers because they would have to engineer more sophisticated attacks.
We have reached the end of this post, we hope it has been very useful to understand the the importance of implement HSTS to an SSL certificate.
