7.11 Ensure HTTP Strict Transport Security Is Enabled - 'httpd.conf Strict-Transport-Security configuration'

Information

HTTP Strict Transport Security (HSTS) is an optional web server security policy mechanism specified by an HTTP Server header. The HSTS header allows a server declaration that only HTTPS communication should be used rather than clear text HTTP communication.

Rationale:

Usage of HTTP Strict Transport Security (HSTS) helps protect HSTS-compliant browsers and other agents from HTTP downgrade attacks. Downgrade attacks include a variety of man-in-the-middle attacks which leave the web communication vulnerable to disclosure and modification by forcing the usage of HTTP rather than HTTPS communication. The 'sslstrip' attack tool by Moxie Marlinspike released in 2009 is one such attack, which works when a server allows both HTTP and HTTPS communication. However, a man-in-the-middle HTTP-to-HTTPS proxy would be effective in cases where the server required HTTPS but did not publish an HSTS policy to the browser. This attack would also be effective on browsers which were not compliant with HSTS. All current up-to-date browsers support HSTS.

The HSTS header specifies a length of time in seconds that the browser/user agent should access the server only using HTTPS. The header may also specify if all subdomains should also be included in the same policy. Once a compliant browser receives the HSTS header, it will not allow access to the server via HTTP. Therefore, it is important you ensure there is no portion of the web site or web application that requires HTTP prior to enabling the HSTS protocol.

If all subdomains are to be included via the _includeSubDomains_ option, carefully consider all various hostnames, web applications, and third-party services used to include any DNS CNAME values that may be impacted. An overly broad _includeSubDomains_ policy will disable access to HTTP websites for all websites with the same domain name. Also consider that the access will be disabled for the number of seconds given in the max-age value, so in the event a mistake is made, a large value, such as a year, could create significant support issues. An optional flag of preload may be added if the website name is to be submitted to be preloaded in Chrome, Firefox and Safari browsers. See [https://hstspreload.appspot.com/](https://hstspreload.appspot.com/) for details.

Solution

Perform the following to implement the recommended state:

Add a 'Header' directive as shown below in the Apache server level configuration and every virtual host that is SSL enabled. The 'includeSubDomains' and 'preload' flags may be included in the header, but are not required.

Header always set Strict-Transport-Security 'max-age=600; includeSubDomains; preload
- or -
Header always set Strict-Transport-Security 'max-age=600

See Also

https://workbench.cisecurity.org/files/2378