Back to Web Security

HTTP Strict Transport Security

5 minutes 5 Questions

HTTP Strict Transport Security (HSTS) is a security mechanism that enforces the use of HTTPS, ensuring data encryption and secure network communication in web applications. When enabled on a web server, the server sends an HSTS header in the HTTP response, instructing the browser to establish HTTPS connections only to that specific domain. This reduces the risk of man-in-the-middle attacks, as any attempt to downgrade the connection to HTTP or establish a connection with an invalid certificate will be blocked by the browser.

Guide to HTTP Strict Transport Security (HSTS)

What is HTTP Strict Transport Security (HSTS)?
HTTP Strict Transport Security (HSTS) is a web security policy mechanism that helps to protect websites against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers (or other complying user agents) should only interact with it using secure HTTPS connections, and never via the insecure HTTP protocol.

Why is HSTS important?
HSTS is crucial for web security as it ensures the security of sensitive information as it travels across the web, preventing data theft and tampering.

How does HSTS work?
HSTS works by including a special response header named 'Strict-Transport-Security' for all HTTP responses made by a website. A HSTS Host, after receiving this HTTP response, will remember to always access the website via HTTPS, even if it was requested as HTTP.

Exam Tips: Answering Questions on HTTP Strict Transport Security
In an exam, remember the following about HSTS:

  • HSTS is not backwards compatible with HTTP. It only works with HTTPS.
  • If a website using HSTS fails to provide an accurate certificate, the site will be unreachable.
  • HSTS headers are only respected when they are served over HTTPS.
  • Implementing the HSTS policy through headers is a smart countermeasure to protocol downgrade attacks.
Remember points like these, and be prepared to answer both definition and situational questions about HSTS' role and application within web security.

Test mode:
Start practice test
CompTIA Security+ - Web Security Example Questions

Test your knowledge of Amazon Simple Storage Service (S3)

Question 1

A website administrator wants to ensure that all communication from the client's browser to the web application is secured by enforcing HTTPS. What should they implement?

Correct Answer: HTTP Strict Transport Security (HSTS)

HTTP Strict Transport Security (HSTS) is a security policy implemented by the web server, which forces browsers and user agents to use secure HTTPS connections. Other mentioned options do not force browsers to use HTTPS or are unrelated to forcing HTTPS connections.

Question 2

A penetration tester discovers that an MITM attack is possible on a website due to an insecure HTTP connection. What should the website owner implement to eliminate the risk?

Correct Answer: Apply HSTS with the 'includeSubDomains' directive

HTTP Strict Transport Security (HSTS) with the 'includeSubDomains' directive forces browsers to establish HTTPS connections, which mitigates the risk of MITM attacks. Other mentioned options do not force HTTPS connections or are unrelated to securing the connection from MITM attacks.

Question 3

A security engineer wants to configure HSTS headers for their website. What should they include in the HTTP response?

Correct Answer: Strict-Transport-Security header

The Strict-Transport-Security header is used to enable HSTS. It forces browsers to use HTTPS connections for the specified domain. The other headers mentioned are for different security purposes but not for enabling HSTS.

image/svg+xml
Go Premium

CompTIA Security+ Preparation Package (2024)

  • 1087 Superior-grade CompTIA Security+ practice questions.
  • Accelerated Mastery: Deep dive into critical topics to fast-track your mastery.
  • Unlock Effortless CompTIA Security+ preparation: 5 full exams.
  • 100% Satisfaction Guaranteed: Full refund with no questions if unsatisfied.
  • Bonus: If you upgrade now you get upgraded access to all courses
  • Risk-Free Decision: Start with a 7-day free trial - get premium features at no cost!
More HTTP Strict Transport Security questions
2 questions (total)
Start 2 question test