Why is HSTS important and how to do it?

Teo Selenius works as a cybersecurity expert at Nixu Engineering. He helps IT developers, architects, and other technical personnel in different organizations to build and maintain code that supports application security.

In 2021 Selenius started to keep a blog to keep his findings in order, and to share his discoveries and latest application security trends. Appsecmonkey.com is growing rapidly. The theme is app security and everything you need to know about it.

About HSTS (HTTP Strict Transport Security)

Did you know that enabling HTTPS on your website is not enough to protect users from attackers on the network?

The reason is how browsers work. For example, suppose a user is on a shared wireless network. In that case, all that an attacker has to do is intercept the network connection, wait for the first unencrypted HTTP request to http://www.example.com, and never let the webserver redirect the user to HTTPS.

Unless, of course, the webserver properly uses preloaded strict transport security (HSTS), which you should do for all your websites. Read this article to see exactly how and why to do this.