Strict Transport Security (HSTS) & Preload Lists

#Closing the 'First-Request' Gap#link

In the previous lesson, we learned that HTTPS is superior to HTTP. However, most users don't type `https://` in their browser; they type `example.com`. By default, the browser tries HTTP first, and the server then sends a 301 Redirect to HTTPS. This creates a window of vulnerability where an attacker can intercept the first request and prevent the redirect.

What is HSTS?

HTTP Strict Transport Security (HSTS) is a security mechanism that allows a web server to tell browsers: 'For the next year, do not even attempt to use HTTP. If the user types `http://`, automatically convert it to `https://` internally before the request ever leaves the device.'

# Example of the HSTS header sent by a server
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

The `max-age` directive defines how long the browser should remember this rule. `includeSubDomains` ensures that if `example.com` is secure, `api.example.com` must also be secure.

The Preload List: The Ultimate Defense

HSTS has one major flaw: the 'Trust On First Use' (TOFU) problem. The browser only knows about HSTS *after* it has visited the site once and seen the header. An attacker can still strip the very first connection. To solve this, Google maintains a 'HSTS Preload List' which is hardcoded into the Chrome, Firefox, and Safari source code.

Implementation Workflow

Moving to HSTS should be a gradual process. If you suddenly enable a 1-year max-age on a site with some legacy HTTP dependencies, you will break your site. The recommended approach is to start with a short `max-age` and slowly increase it.

• ▪Verify all subdomains are HTTPS compatible
• ▪Start with `max-age=300` (5 minutes) for testing
• ▪Increase to `max-age=86400` (1 day)
• ▪Deploy `max-age=31536000` with `includeSubDomains`
• ▪Submit to hstspreload.org only after 100% stability