0

I have web server IIS, where I have direct access to page like (page.com), so thats the reason why I have allowed HTTP (port 80) and then I am using HTTPS (port 443). When user enters the page on port 80 (page.com), he will be redirected to HTTPS (443). So my web server uses HSTS with long max-age parameter (defense against ssl strip).

Is my page secure with HSTS header this way? If not, what should I do?

Thanks a lot!

lennon310
  • 12,503
  • 11
  • 43
  • 61
Sirdhemond
  • 63
  • 1
  • 8

1 Answers1

0

As always, the question is secure against what? Secure against ssl strip after the first response with HSTS (and before it expires)? Yes. Secure against ssl strip on the very first request (or the first after HSTS expired)? No. Secure against a range of different attacks? Not necessarily (dns hijack on the first request, corporate ssl inspection, rogue root cert in clients, malware... the list is endless).

Could you make it more secure? Yes, by disabling plain http altogether. Would that make sense in your scenario? Only you can tell.

Gabor Lengyel
  • 14,129
  • 4
  • 32
  • 59
  • Why would disabling HTTP make it more secure? If worried about messages being intercepted than an attacker can just fake a HTTP server and respond for you. – Barry Pollard Jan 14 '20 at 00:09
  • @BarryPollard Of course you are right. The only thing is, relying on automatic redirection to a secure site instead of the originally requested insecure one doesn't feel right. Consider links for example. Let's say I have example.com. Would pretty much everybody link to `http://example.com` if that *worked*? Sure they would. Would they link to `https` if that's the only way? Probably yes, and the web is then a better place. :) – Gabor Lengyel Jan 14 '20 at 00:21