top of page
Search

HSTS Max-Age Directives and Cyborgs

  • Writer: Jen C
    Jen C
  • Nov 9
  • 2 min read

ree

Let’s learn about HSTS Max-Age Directives. Is it just me, or does this sound like something out of RoboCop or Wall-E? What is your directive LOL? Ok seriously now, what are we talking about?


Let’s start with the basics. HTTP Strict Transport Security, or HSTS, is a response header that improves a site’s security as it instructs the browser to always use HTTPS instead of HTTP when visiting your site. It helps to protect against man-in-the-middle attacks and other vulnerabilities. More importantly, HSTS Head-

er prevent attackers from forcing a browser to use an insecure HTTP connection which can expose the user’s credentials or even lead to cookie hijacking. Mmmmm, cookies.


How does it work? It will automatically convert any HTTP requests to that domain automagically to HTTPS even if the user types in an HTTP URL. Pretty slick! Even cooler, on the first visit, the site makes a “mental note” of this setting and on subsequent visits it knows to default to HTTPS.


How do we implement? You may be wondering about this max-age directive setting and how to implement it in the security header. It is recommended to set a duration for how long the HTTP Strict Transport Security (HSTS) policy should be followed. Start with a gradual rollout, testing first, with a sample of 300 seconds to test for issues. If no issues loading pages, then full speed ahead.


The best practice is at least one year, which equates to 31536000 seconds in case you don’t want to do the math. Honestly, two years really is best (63072000 seconds) and highly recommended. This is a requirement for pre-loading as well (included in the HSTS preload list-where browsers enforce HTTPS from the first visit). Note: although you believe HSTS to be configured to a max-age of less than one year, it will continue to trip code scanners as a vulnerability until greater than one year is set.


Gotcha’s:

Remember to regularly monitor the site’s certificates remain valid and configured properly to continue working with the HTTPS configuration.


I lied. I promised Cyborg’s in addition to learning about HSTS Max-Age Directives. Well, I can’t share the image, but just imagine Wall-E and EVE and her prime directive.

Recent Posts

See All
“OWASP A01:2021-Broken Access Control”

“Moving up from the fifth position, 94% of applications were tested for some form of broken access control with the average incidence rate of 3.81%, and has the most occurrences in the contributed dat

 
 
 

Comments

© 2021 by Jen Cracchiola. Powered by Wix

bottom of page