3

My website data is transferred via HTTPS. As far as I understand this, there is a certificate that is issued by CA which is provided by server for each client, client and server decide how to encrypt and decrypt the info being exchanged and from this point and on communicate only this way. This is basic HTTPS.

Now I do not understand where the Strict-Transport-Security header fits here. When the server sends it in response, the browser will conduct communication only via HTTPS. And in case some URLs are still HTTP it will automatically transform them to HTTPS.

Here is the question: if we've set up HTTPS like I've described in the first paragraph is it still necessary to send Strict-Transport-Security header with server response? If so, what purpose will it serve?

Anders
  • 64,406
  • 24
  • 178
  • 215
Olena Horal
  • 141
  • 6

2 Answers2

8

I'll refer you to this: https://security.stackexchange.com/a/17272/125176

Basically, HSTS tells the browser never to communicate with the server without HTTPS. In this way, you're covering both communication lines.

Excerpt:

HSTS tells the browser: never use HTTP with this site. Only access it via HTTPS. So, to enable HSTS, you must make sure that your site works with HTTPS, and only HTTPS. This includes everything: HTML, CSS, Javascript, everything. Make sure all of the CSS and Javascript on your site is available over HTTPS. Also, I suggest that you convert your pages to reference everything over HTTPS (I recommend your pages avoid loading any other Javascript or CSS resource over HTTP, as that may cause warnings or security problems for some browsers).

Is it necessary? That's up to you to decide. Is it recommended? Yes.

Community
  • 1
thel3l
  • 3,384
  • 11
  • 24
7

HSTS is the only protection against SSLStrip.

So yes, if you need to use https, then you need to use HSTS.

Tom
  • 2,063
  • 12
  • 19