Q
Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

HTTP Strict Transport Security: What are the security benefits?

Google's use of HTTP Strict Transport Security aims to improve web browsing security. Expert Judith Myerson explains how HSTS can make the internet more secure.

Google recently announced that it plans to enforce HTTP Strict Transport Security for many of its top-level domains....

What are the security benefits of HTTP Strict Transport Security? Are there any drawbacks?

Google plans to enforce HTTP Strict Transport Security (HSTS) whether or not SSL is used as a search engine optimization ranking signal. The security benefits of this are that HTTP Strict Transport Security provides trust, verifies the SSL certificate and guarantees the integrity of data. The lock icon in the address bar in the browser lets web visitors know the website connection is secure.

Verifying SSL certificates ensures that the organization installing the SSL certificate on a server is its legitimate owner. Being able to guarantee the integrity of data prevents a third party from intercepting and changing data going to and from the web server.

The HTTP Strict Transport Security preload list is built into all major browsers. The list can contain individual domains or subdomains, as well as top-level domains. Google has already implemented HSTS for some of its top-level domains, including .google, .foo and .dev, and Gmail.com is included in the HTTP Strict Transport Security preload list, as well. The browser changes http://gmail.com to https://gmail.com before sending the request. An organization should encrypt visitors' web data in one server, and then get it to a caching server.

The issue is the type of HTTPS implementation an organization chooses: free, paid or cloud-based. A paid implementation may be expensive, but it's easier to do across multiple domains; plus, it is valid for a year or more. The free implementation is only valid for 90 days, and it is incompatible with BlackBerry and Nintendo 3DS.

A bigger issue is that Google recently received a very low grade from SecurityHeaders.io -- a website run by Scott Helme to analyze and rate website response headers -- for not implementing all the necessary HTTP security response headers. SecurityHeaders.io reported that three response headers were not added to a server.

However, Google received credit for implementing two response headers to protect against click-jacking and cross-site scripting attacks. The browsers aren't forced to use the preload list, and the certificates -- which are most likely free -- are valid for 60 days, not for 90 days or a year.

Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)

Next Steps

Find out whether HTTP public key pinning is necessary for browser security

Learn more about Google's efforts to boost HTTPS for web security

Discover how HSTS enhances application security

This was last published in November 2017

Dig Deeper on Web browser security

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What do you think about the use of HSTS?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close