Product SiteDocumentation Site

3.2.4. HTTP Strict Transport Security

HTTP Strict Transport Security is a mechanism that allows server to inform client that any interactions with the server shall be carried over secure HTTPS connection.
HTTPS provides a secure tunnel between client and the server, yet there are still ways through which data can leak to the attacker. One of the most practical attacks on SSL is SSL stripping attack introduced by Moxie Marlinspike, in which active network attacker transparently converts HTTPS connection to insecure one. To the client it seems like web application does not support HTTPS and has no means to verify whether this is the case.
HTTP Strict Transport Security mechanism allows server to inform client's user agent that the web application shall be accessed only through secure HTTPS connection. When client`s UA conformant with HSTS receives such notice from server, it enforces following behaviour:
  • all references to HSTS host are converted into secure ones before dereferencing
  • connection is terminated upon any and all secure transport errors or warnings without interaction with user
User agents which receive response with HSTS header need to retain data about host enforcing strict transport security for the timespan declared by the host. User agent builds a list of known HSTS hosts and whenever request is sent to known HSTS host, HTTPS is used.
HSTS header sent by the server includes timespan during which UA should enforce strict transport security in seconds:
Strict-Transport-Security: max-age=631138519
Optionally, server can also specify that HSTS be enforced on all subdomains:
Strict-Transport-Security: max-age=631138519; includeSubDomains
Setting timespan to zero
Strict-Transport-Security: max-age=0
allows the server to indicate that UA should delete HSTS policy associated with the host.
This header protects client from visiting host he has visited before using unsecure connection, but when the client connects for the first time, he has no prior knowledge about HSTS policy for the host. This theoretically allows attacker to successfully perform attack against user that connect for the first time. To mitigate this, browsers include preloaded list of known HSTS hosts in the default installation.

3.2.4.1. Configuring HSTS in Rails

A single directive in Rail configuration
config.force_ssl = true
enables HSTS for the application.

3.2.4.2. References