7

I've just checked with the SSL Server Test if I implemented the SSL certificate on my server correctly. I got a grade A in their ranking but you can get an A+ if you have activated HSTS. After some seaching I found out that Google might treat HSTS as a ranking factor. So it seems to be relevant in terms of SEO. Before implementing HSTS I've got some questions.

Question 1

What happens if some external javascripts load for example an image over http (instead of https) on my site? Will HSTS prevent the whole page from loading or only block the specific "insecure" content?

Question 2

At the moment (without HSTS) I get a "mixed content" warning if resources are loaded via http. Does "mixed content" actually exists if HSTS is activated?

Sr. Schneider
  • 185
  • 6
  • It seems to me you may be confusing HSTS with [CSP](https://en.wikipedia.org/wiki/Content_Security_Policy). Both are optional HTTPS-related security features controlled by specific HTTP(S) response headers, and they can both be used (in different cases) to automatically upgrade insecure HTTP requests to HTTPS, but [that's about where the similarity ends.](https://security.stackexchange.com/questions/178374/upgrade-insecure-requests-as-an-alternative-for-hsts) – Ilmari Karonen Aug 20 '18 at 13:42
  • No, I'm not confusing those technologies. I've just no idea how HSTS works. – Sr. Schneider Aug 20 '18 at 16:02

3 Answers3

14

HSTS doesn't try to handle mixed content at all: it just controls whether the browser should perform an internal 307 redirect to HTTPS whenever it tries to load HTTP URLs, or not. The mixed content warning is a feature of the browser, and all the current browsers do it (Mozilla Firefox 23+, Google Chrome 21+, Internet Explorer 10+, Edge from the beginning...). The mixed content warning blocks e.g. <script> and <iframe>, but not <img>.

The mixed content warning on all the browsers mentioned is checked before loading any content at all, i.e. before HSTS redirects, too. This seems only natural, and is also easy to test. By default, all external images are loaded even using plain HTTP, and a mixed content warning is given only for scripts and iframes.

Mixed content without HSTS

HSTS only changes the situation where an image from an HSTS enabled domain is loaded using plain HTTP, and 307 Internal Redirect is performed. Worth noting: this is a situation with no mixed content warnings involved.

Mixed content with HSTS

Therefore, HSTS does not work as a quick fix for the mixed content problem:

  • You need to fix http:// URLs on your site even for the domain itself.
  • You need to ensure that you don't load external scripts from sources you don't trust.
    • If the third party doesn't enable HSTS, it's still vulnerable to man-in-the-middle attacks.
    • Third parties might load content from further external sources, and all this applies to those, too.
    • The external content site might be cracked or do malicious activities by themselves.
Esa Jokinen
  • 43,252
  • 2
  • 75
  • 122
  • As a side note, if you are looking for a way to "upgrade" http requests to https, you may find some benefit from a content security policy (CSP), specifically the `upgrade-insecure-requests` attribute. You can read about it here https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-requests. It appears to work with chrome and firefox at this time. – David Aug 21 '18 at 16:16
4

I think the answer to this would depend on whether the scripts you refer to are hosted on the domain for which HSTS is enabled.

E.g. if you serve your content from mydomain.com and enable HSTS for this domain (and possibly subdomains too) but the script(s) and other mixed content you refer to are served from otherdomain.com which does not enable HSTS then mixed content is possible and the browser will still warn about this.

What HSTS will stop (and will help fix mixed content for) is resources linked to via HTTP on the same domain - and perhaps subdomain depending on your config - as these will be "upgraded" to HTTPS automatically.

David
  • 179
  • 11
  • And what about scripts from other domains? They'll be blocked? – Sr. Schneider Aug 20 '18 at 08:22
  • 1
    No, I believe that HSTS applies to the domain that you apply the header to (and optionally the subdomains too). If you import a script from another domain which doesn't use HSTS and you do so via HTTP rather than HTTPS then the script isn't blocked due to HSTS (it might be blocked for other unrelated reasons like mixed content or CORS etc). In all likelihood, if you have a domain on HSTS and import resources via http from non hsts domains you'll get mixed content warnings. – David Aug 20 '18 at 09:24
0

This is by design: if HSTS is working, it'll retrieve the right image (the checkmark over HTTPS), and, if not, an X mark over HTTP.

Hopefully browsers will stop presenting mixed content warnings for content upgraded to HTTPS via HSTS. :)

amirah ara
  • 1