HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL). HSTS is an IETF standards track protocol and is specified in RFC 6797. The HSTS Policy is communicated by the server to the user agent via an HTTP response header field named “Strict-Transport-Security“. HSTS Policy specifies a period of time during which the user agent shall access the server in only secure fashion.
The most important security vulnerability that HSTS can fix is SSL-stripping man-in-the-middle attacks, first publicly introduced by Moxie Marlinspike in his 2009 BlackHat Federal talk “New Tricks For Defeating SSL In Practice.” The SSL stripping attack works (on both SSL and TLS) by transparently converting a secure HTTPS connection into a plain HTTP connection. The user can see that the connection is insecure, but crucially there is no way of knowing whether the connection should be secure. Many websites do not use TLS/SSL, therefore there is no way of knowing (without prior knowledge) whether the use of plain HTTP is due to an attack, or simply because the website hasn’t implemented TLS/SSL. Additionally, no warnings are presented to the user during the downgrade process, making the attack fairly subtle to all but the most vigilant. Marlinspike’s sslstrip tool fully automates the attack. HSTS addresses this problem by informing the browser that connections to the site should always use TLS/SSL. The HSTS header can be stripped by the attacker if this is the user‘s first visit. Google Chrome and Mozilla Firefox attempt to limit this problem by including a “pre-loaded” list of HSTS sites. Unfortunately this solution cannot scale to include all websites on the internet; a potential solution might be achieved by using DNS records to declare HSTS Policy, and accessing them securely via DNSSEC, optionally with certificate fingerprints to make sure validity (although DNSSEC will have secure last mile issues for the foreseeable future). HSTS can also help to prevent having one’s cookie-based website login credentials stolen. You can carry out this right away.
What is HSTS Pre-loading
I would recommend insertion in a custom vhost addition. Consult your webmaster for implementation.
If you run this web engine, please comment how to improve the instructions for insertion.
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
This YouTube video, “OWASP Appsec Tutorial Series – Episode 4″, describes the importance of using HTTPS for all sensitive communication, and how the HTTP Strict Transport Security header can be used to make sure greater security, by transforming all HTTP links to HTTPS automatically in the browser.
Google Webmaster Tools stopped indexing after implementation.
so I went to http://stackoverflow.com/questions/22733108/hsts-blocks-googlebot to find answers.