Yes! And boy, it's not something you want to just enable without some thought.
I enabled it on a site that works without Host: inspection. HTTP gets you site A, and HTTPS gets you site B. (Different hostnames). This is obviously an odd arrangement, but it was working well for our little niche requirement.
I enabled HSTS in nginx while I was scrambling to do the heartbleed patch. I enabled all sorts of new age HTTPS options: HSTS, cert stapling, heavier ciphersuites, et cetera.
Of course, the HSTS started forcing all my HTTP users on site A over to site B, and I looked quite the fool. (Which is fair, because what I did was foolish and I deserved a little ridicule)
It's a neat option and maybe even the base case allows for it, but think about it before you flip it on!
You almost never want to also include the subdomains, unless you have a wildcard SSL certificate.
I made that mistake, couldn't reach any other subdomain of my site because only 1 was protected by ssl. Clearing that HSTS header information is not so easy..
Well, it depends. You shouldn't include subdomains if you have some that do not support HTTPS. That would be an instant self-inflicted denial of service attack.
However, for best security, you must include subdomains. Because the cookie specification is very lax, any subdomain can inject cookies into your otherwise protected (with TLS and HSTS) site. This injection, which will be seen as unexpected by developers, might be used as an attack vector. Note that, even if you don't have any subdomains, a MITM -- who controls the wire and thus the DNS -- can always make up arbitrary names and then inject from them. There are other smaller attack vectors that can be abused unless the entire domain name (e.g., example.com) is under HSTS.
My understanding is that HSTS is purely for the client side. You can still have a server that serves http if you want, but any client that supports HSTS that has visited your domain since you started sending the header will simply add tls to any http:// link that it comes across.
So your image link can still be served, but if the client does support HSTS it'll see the header and then make all subsequent requests over TLS.
HSTS should be an implicit browser feature, not a server-side add-on. There should not need to be a server-side flag required to enforce this behavior.
If you go to an HTTPS page on a given domain, your browser should always prefer the HTTPS page, even if you try to follow an HTTP page. The reason is, if you were able to reach the page via HTTPS before, you should be able to reach it there again, and HTTP would only expose you to an unencrypted page which is more than likely the same in content. The only downside is that sometimes HTTPS and HTTP URIs serve different resources even though the URI is the same (which I believe should be considered bad behavior by the web server)
Requiring admins to enable HSTS puts the onus on web server admins who are motivated to improve security for their users a tiny bit, and only works for admins who have servers that can support HSTS flags. There are many legacy systems which simply can't or won't be changed to support it. Hopefully the above behavior gets put into the HTTP 2.0 standard so admins don't need to go through a checkist of add-on security measures every time they create a new web server instance.
The HTTP 2.0 spec[1] mentions "Implementations of HTTP/2 MUST support TLS 1.2 and it appears Chrome will implement HTTP/2 via TLS only (http://volgarev.me/blog/75094931827).
Good to see the word is spreading about HSTS. EFF started pushing it earlier this month [1], with a perhaps fair claim that it's not widely known about by web developers.
As the article shows it's pretty straightforward to setup; if you can add a response header to your app then you'll be able to figure out how to harden your app with HSTS.
For my fellow web developers who like to learn by video, I've tried to make an easily digested screencast and a page of sketch notes to help get the word out about HSTS and explain what it protects against [2].
These settings are giving me an A+ on SSLLabs.com...
# - Apache 2.4 PFS & BEAST attack Safe /etc/apache2/mods-enabled/ssl.conf
SSLProtocol -ALL +SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:!RC4:HIGH:!MD5:!aNULL:!EDH
SSLHonorCipherOrder on
SSLCompression off
# - HSTS Apache directive to force SSL (.htaccess or per site in control panel)
Header always set Strict-Transport-Security "max-age=15552000"
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [NC,R=301,L]
If you are using a site-signed cert and giving intended visitors a corresponding browser cert (being your own CA), and turn on HSTS, I assume the non-bypassable warning page would not be triggered, and the author's reference to "self-signed certs" is an inaccurate shorthand for "site certs the browser doesn't trust a CA for". (If this interpretation is wrong, HSTS would prevent a secure connection in this scenario.)
And if your server is rewriting URLs instead of using 301, then clients are not vulnerable to the redirect loophole and HSTS gives no benefit in that respect?
ds9, yes, "site certs the browser doesn't trust a CA for" is more accurate. You can find the exact details of HSTS and self-signed certs in the draft in section 11.3[1]. I've updated the post to hopefully be more clear.
HSTS is a good concept, and all browsers implement it, but there's no way to inspect which domains are flagged with it in your browser. So if you pick one up by mistake when you're testing the feature out in development, it just sticks, and the only way to get rid of it is to clear your entire browser cache or reset it, which is extremely annoying.
Browser makers: Please, please, please implement a way for me to inspect and remove individual HSTS "flags" so testing it doesn't become so painful.
Is this a different implementation of Diffie–Hellman? As far as I can tell (and I am likely wrong) there needs to be one successful connection attempt using a secure protocol, in this case HSTS, to detect if the redirect was indeed to the correct site or a MitM attack.
HSTS isn't a protocol, it bascailly a flag that tells a browser to only use TLS to connect to a specfic domain. It normally does require one successful connection for the server to tell it, but both chrome [0] and firefox [1] have a list of sites built-in so that even the first time they connect they'd be TLS.
I enabled it on a site that works without Host: inspection. HTTP gets you site A, and HTTPS gets you site B. (Different hostnames). This is obviously an odd arrangement, but it was working well for our little niche requirement.
I enabled HSTS in nginx while I was scrambling to do the heartbleed patch. I enabled all sorts of new age HTTPS options: HSTS, cert stapling, heavier ciphersuites, et cetera.
Of course, the HSTS started forcing all my HTTP users on site A over to site B, and I looked quite the fool. (Which is fair, because what I did was foolish and I deserved a little ridicule)
It's a neat option and maybe even the base case allows for it, but think about it before you flip it on!