4

In MDN HTTP Strict Transport Security (HSTS), it has an example of HSTS settings as below

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

where I can find the corresponding mean of max-age and includeSubDomains in RFC 6979, but it does not have the meaning of preload.

I have tested in latest Chrome and Firefox, and it seems that preload does not do anything at all. With and without preload, on requesting http request, both trials if using Chrome, can find 307 Internal Redirect made by Chrome browser without requesting to the server, which is what HSTS expect.

So what is the purpose of preload?

In addition, even if I add HSTS header, it will still have a chance to be attacked, on the first time the user visit the website with HTTP. How can we mitigate from this risk? That is, how can we tell the browser to add the domain to HSTS list before any request are sent to the server?

P.S.

I have found https://hstspreload.org/, which if I need to register the domain, requires me to add max-age and preload directive. Is it the reason why preload is necessary? And this should be the page where I should add my domain to ensure new user are safe from SSL Stripping Attack?

CHANist
  • 1,302
  • 11
  • 36

1 Answers1

7

Preload is a big commitment. It will effectively be hardcoded into a browser’s code. Given it takes several months at a minimum to roll out new version, it’s basically irreversible.

Also as it’s down at the domain level, mistakes have been made. For example preloading domain.com but then discovering afterwards that blog.domain.com, or intranet.domain.com have not been upgraded to HTTPS. At this point your options are 1) upgrade all non-HTTPS site to HTTPS and live with zero users to the site until the or 2) reverse the preload and wait the months for that to roll out to all browsers and deal with zero users until then.

HTTPS is much more common now, so the risks are reduced but when HSTS preload first came out, these were real risks.

Therefore the preload attribute was a signal that the site owner was ready for that commitment. It also prevented someone else submitting a site that wasn’t using this header (whether maliciously or with good, but misguided, intentions).

You are correct in that it doesn’t “do” anything in the browser.

There was also talk of checking if the preload header was still being sent, and if not removing the site from the preload list but not sure if that’s done.

Barry Pollard
  • 40,655
  • 7
  • 76
  • 92
  • Thanks for reply. I know it will be hardcoded to browser, otherwise it wouldn't help solving SSL Stripping Attack. But is `preload` just use for us to register my domain to `https://hstspreload.org/`? Says, if I do not register my domain to that, is it useless to add such attribute? In return of not registering the domain to the website, I will add a small chance of attack by hacker for the first time, if user request my website using HTTP? Is my understanding correct? – CHANist Mar 08 '22 at 00:28
  • 1
    Yes preloading is to prevent the first connection risk. And yes that website is used to register with Chrome (which then usually passes it’s list on to other browsers). It is possible other browsers will pick this up separately, not through that site. So yea if you don’t want to preload your site you should not set that attribute. – Barry Pollard Mar 08 '22 at 10:22
  • @CHANist Yes, the `preload` attribute in `Strict-Transport-Security` doesn't do anything by default. It's a marker for `https://hstspreload.org/` that the site admin is okay with preloading. Note that even if you have `preload` and you register the site for preloading, your site may or may not be included to HSTS Preload list. As this list is hardcoded in browser, increasing its size has non-zero cost and e.g. Chrome seems to prune this list from time to time. – Mikko Rantalainen Mar 14 '23 at 08:56