Author Archives: Simon Waters

Strict Transport Security Edge Cases (HSTS)

Some notes on edge cases to HSTS I have seen in the wild, and appropriate mitigations.

Not Invoking Parent Domain Frequently Enough

Problem: If your website is on www.example.com and the search engines indexes it there. Even if you have HSTS in the HTTP headers on https://example.com/ the user may never visit that domain, and never see the dynamic strict-transport-security header. This may be a problem if you have cookies scoped to that domain, especially if they lack the secure flag.

Fixes:

Serve a commonly retrieved item such as Logo from the parent domain https://example.com/logo.png

Included the “preload” attribute on the HSTS header on the parent domain.

Ensure all cookies have the secure flag.

Redirecting Around Parent Domain

Problem: You have a redirect at http://example.com to https://www.example.com

This is a special case of “Not Invoking Parent Domain Frequently Enough”. Where you type example.com most browsers default to HTTP, but HSTS headers need to be set over HTTPS.

Fixes:

Redirect HTTP to HTTPS before you redirect to “www”. http://example.com/ to https://example.com/ to https://www.example.com/

Serve a logo or other item in the parent domain.

Include the “preload” attribute on HSTS headers on the parent page.

Ensure all cookies have the secure flag.

Subdomains Can Remove the Include Subdomain Option

Problem: Your parent domain “https://example.com” includes the HSTS IncludeSubDomains, but your subdomain “https://status.example.com” doesn’t include IncludeSubDomains. Google Chrome gives precedence to the child domain so a MITM can create “http://nonsuch.status.example.com/” and any cookies scoped to “.example.com” without the secure flag will be delivered in the clear. Note the behaviour may vary depending which websites have been visited and when, and which browser is used.

See also https://bugs.chromium.org/p/chromium/issues/detail?id=821811

Fixes:

Ensure all cookies have the secure flag set.

Always “includeSubDomains” when using HSTS.

Partial fixes or other techniques to consider include:

Domain owners consider DNSSEC, domain users consider DNS over HTTPS, to defeat the Man in the Middle DNS modification.

Avoid situations where you delegate subdomains to different organisations or managerial regimes where you can’t ensure consistent application of controls.

Use “host” cookies where appropriate but accept this will fail in some browsers.