Only 5% of HTTPS Servers Have Correct HSTS Implementation, Leaving 95% Vulnerable
HTTP Strict Transport Security (HSTS) is a vital security feature that ensures web applications only use secure, encrypted connections. However, a recent study reveals a concerning trend: only 5% of HTTPS servers have a correct HSTS implementation, leaving 95% vulnerable to connection hijacking.
HSTS works by sending a header on secure connections, instructing browsers to only communicate with the server over HTTPS. Best practices include setting a max-age value greater than 120 days and including the 'includeSubDomains' directive to protect all subdomains.
Google provides a tool to submit websites to the HSTS preload list, which helps mitigate the chicken-and-egg problem by configuring HSTS out of the box in browsers. Despite these measures, only a small fraction of servers correctly implement HSTS. This is concerning, as web applications should assume hackers can run man-in-the-middle attacks over plaintext HTTP connections.
To protect against these attacks, HSTS enforces strict security measures like preventing mixed content and click-through certificate overrides. However, only 5% of HTTPS servers have a correct HSTS implementation, leaving a significant gap in web security.
To improve web security, it's crucial for web applications to correctly implement HSTS. This includes providing a well-formed HSTS header, setting an appropriate max-age value, and including the 'includeSubDomains' directive whenever possible. Tools like Qualys' Vulnerability Management and Web Application Scanning services can help protect against HSTS misconfigurations at scale. By taking these steps, we can significantly reduce the number of vulnerable servers and enhance the security of web communications.
Read also:
- Mural at blast site in CDMX commemorates Alicia Matías, sacrificing life for granddaughter's safety
- Microsoft's Patch Tuesday essential fixes: 12 critical vulnerabilities alongside a Remote Code Execution flaw in SharePoint
- British intelligence agency MI6 establishes a covert dark web platform named 'Silent Courier' in Istanbul for the purpose of identifying and enlisting secret agents.
- Russia intends to manufacture approximately 79,000 Shahed drones by the year 2025, according to Ukraine's intelligence.
