Over a million developers have joined DZone.

Guide to HSTS and How it Works

DZone's Guide to

Guide to HSTS and How it Works

HTTP Strict Transport Security, or HSTS, is an aspect of web application and network security that both users and developers should be aware of.

· Security Zone ·
Free Resource

Discover how to provide active runtime protection for your web applications from known and unknown vulnerabilities including Remote Code Execution Attacks.

What Is HSTS?

HSTS, or HTTP Strict Transport Security, is a header protocol that allows web browsers to make a secure connection when there is a request from “HTTPS” only. The processing size when HSTS processes a two-tier secure connection is small, and this process is enabled only when a 100% encrypted connection takes place between a browser and a website over HTTPS.

HSTS is a prerequisite, as industry standards say that just having SSL encrypted websites with a secure padlock and “HTTPS” is not enough; there are other potential vulnerability spots and incidents that take place without an HSTS layer.

HSTS is like a sustainable bridge to stop non-secure connection attacks by any of third-party hackers on a website.

HSTS also includes other sub-layers of encryption algorithms such as the HSTS preload list. We will explain the HSTS preload list because it is also an essential part of the HSTS protocol.

What Is the HSTS Preload List?

HSTS preload list contains the list of websites which are already using the HSTS protocol in active mode in a leading browser, such as Google Chrome. It takes a few seconds while connecting some preload list enabled browsers to some communicated websites on the internet.

The preload list helps us to halt secondary vulnerabilities, like if an attacker tries to attack the session while the browser is downloading an HSTS header.

How to Add a Preload List

It is quick and easy to add a preload list; it requires only one line of code (“preload”) in the HSTS header. Once you update the HSTS header with that line of code, you can test it through Google’s sign-up page and you can add your website to a preload list.

Note: The preload list automatically gets updated when there is a revision from a browser or any version update.

Okay, before we complete this tutorial on HSTS headers, we want to discuss disabling HSTS headers in major browsers, because there are so many questions out there about “how to disable HSTS headers in a browser in Chrome” and “how to disable HSTS headers in a browser in Firefox.”

Let’s discuss the step-by-step process for disabling HSTS headers.

Disabling HSTS in Firefox

  • Close all your existing tabs in Firefox.
  • Open the Firefox history tab (you can do so using the short-cut, like Ctrl + Shift + H on PC or Cmd + Shift + H on Mac).
  • Go to a website for which you want to disable or clear HSTS settings.
  • Right-click on a website and then click on the option called, “Forget About This Site.”
  • You're done! You have now completed the process of clearing the HSTS settings for that website.
  • Restart your Firefox browser.

Disabling HSTS in Chrome

  • Search for the location in the Chrome Address bar: chrome://net-internals/#hsts
  • You would have a search box to stumble the website, for which you want to clear HSTS settings.
  • Click on the delete button on the concerned website.
  • That’s it. You are done with HSTS disabling for that website.
  • To confirm whether the settings are cleared or not, you could type the domain name in the search box, and see whether it appears as a result or not. If it does not, then you have successfully cleared your data.

Disabling HSTS in Safari

  • Close your Safari browser.
  • Delete the file from this location: ~/Library/Cookies/HSTS.plist 
  • Restart your Safari browser.

That’s it.

Find out how Waratek’s award-winning application security platform can improve the security of your new and legacy applications and platforms with no false positives, code changes or slowing your application.

security ,hsts ,web application security ,network security

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}