Use the HSTS header for secure communications across networks

It should always be a top priority for any developer to secure and encrypt communications across the network. Along these lines, Java profilers show the performance overhead for encryption and to ensure confidentiality is relatively minor. I’d go so far as to say the use of SSL on all HTTP-based traffic should be a universal requirement.

That’s where HTTP Strict Transport Security (HSTS) comes in. The HSTS header can ensure that all communications with your web server are secure.

HSTS parameters

The HSTS header is used to force the server and the browser to communicate over HTTPS. The contract HSTS sets out then remains in effect based on the value of the required maximum age directive, which can be one day, one month or one year. The maximum age cannot be changed until the header reaches the expiration time.

The HSTS header can also be used to enforce HTTPS use across subdomains as well, which you can see with the following setup:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

When you use the includeSubDomains option and a user accesses the site, the browser is directed by the HSTS policy to use HTTPS for all the subdomains — inside and outside the firewalls.

Implementation configurations

Here is how HSTS can be configured for one year, including the preloaded list of subdomains. All web pages must be accessible over HTTPS or they will be blocked.

In an Apache HTTP server, add to the httpd.conf file:

Header set Strict-Transport-Security
"max-age=31536000; includeSubDomains; preload"

In a Nginx server, add to nginx.conf under the (SSL) directive:

add_header Strict-Transport-Security
'max-age=31536000; includeSubDomains; preload';

Given the importance users place on secure and confidential communication over the internet, organizations should explore the option of HSTS headers and enforce SSL-based communications throughout their networks.