A policy that protects web users from “man in the middle” attacks
The rise in internet use has come with an increased risk level that puts website users and owners at risk of being cyber attacked. For instance, if a user types the name of a website that uses HTTPS without including all the characters correctly, the web browser can redirect that user to the right site. For example, someone intending to visit https://www.site.com can type www.site.com [http://www.site.com] or even site.com, and they will redirect to the main site. However, during the redirecting process, users are susceptible to hackers who may take the opportunity to redirect them to a malicious site. This is where HTTP Strict-Transport-Security Header comes in. It informs browsers to avoid loading a site that uses HTTP and directs such searches to HTTPS instead.
Therefore, HTTP Strict Transport Security Header is a policy that protects web users from “man in the middle attacks.” With this mechanism, there is a reduced risk of threats such as cookie hijacking and protocol downgrade attacks. With the HTTPS protocols, the browsers interact with connections that have transport layer security only, supporting enhanced security.
HTTP Strict Transport Security was invented to bridge the gap that HTTP could not. Its main purpose is to guarantee end-to-end security by having encrypted communication between browsers and website servers. It doesn’t just help with correct certificates during redirecting. It also helps with all future visits by allowing the browser to remember the site as HTTPS only for a specified duration. It does this by specifying three directives which are:
With HTTP Strict Transport Security Header, you will have a more secure website. Some of the requirements your site should meet before you apply for the policy include having a valid SSL certificate with all your subdomains covered in it, have a max-age of at least 10886400, and a specified preload directive if you choose to have them.