HSTS (HTTP Strict Transport Security) is a security protocol that force the use of SSL in the comunication between the web browser and the web server. This standard is recently approved (2 october 2012) by the IETF, but the first draft was released in 2010 and it was implemented in some sites like Paypal, Android market, DEF CON website… The motivation of HSTS is to mitigate the SSLStrip attacks, introduced by Moxie Marlinspike in Black Hat conference 2009. SSLStrip consist in a https session hijacking, forcing a https connection becomes a normal http allowing to the attacker read all data sent from the victim. Basically it follows three steps:

  • Victim establishes a HTTP connection with attacker machine.
  • The attacker transforms the http traffic from the victim to https.
  • The attacker establishes the https connection with the real web server.

Configuring HSTS the web server informs to the web browser that connections to the site should always use SSL. Actually the web browser that supports the HSTS headers are Google chrome from 4.0.211.0 version, Firefox from 4 version and Opera from 12 version.
HSTS has a limitation resides in the initial request from the web browser and can be exploited by an attacker, for this reason it’s important to setup a high value for the HSTS expiration value.

Apache implementation

– Load the mod_headers module to allow modify the http headers:

# vi /etc/httpd/conf/httpd.conf
LoadModule headers_module modules/mod_headers.so

– Add in our vhost statement or in your main apache config file, the next line with an expiration of 6 months including the requests for all the subdomains:

Header add Strict-Transport-Security "max-age=15768000;includeSubDomains"

Nginx implementation

add_header Strict-Transport-Security max-age=15768000;includeSubDomains 

Capturing HTTP headers from the server with tcpdump

# tcpdump -vvvs 1024 -l -A host monitor.local

$p... ..HTTP/1.1 200 OK
Date: Tue, 09 Oct 2012 18:33:36 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Last-Modified: Tue, 09 Oct 2012 18:33:36 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="CAO PSA OUR"
Strict-Transport-Security: max-age=15768000
Content-Length: 1468
Connection: close
Content-Type: text/html; charset=UTF-8

Draft specification by the IETF: http://datatracker.ietf.org/doc/draft-ietf-websec-strict-transport-sec/

Enable HTTP Strict Transport Security in Apache & Nginx
Tagged on:             

5 thoughts on “Enable HTTP Strict Transport Security in Apache & Nginx

Leave a Reply

Follow

Get every new post delivered to your Inbox

Join other followers: