Strict Transport Security by PayPal, Inc., Collin Jackson, Adam Barth is licensed under a Creative Commons Attribution 3.0 United States License.
THIS SPECIFICATION IS PROVIDED "AS IS." PayPal, Inc., Collin Jackson, Adam Barth MAKE NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE OR NON-INFRINGEMENT.
This document defines a mechanism to enabling Web sites to declare themselves accessible only via secure connections, and/or for users to be able to direct their user agent(s) to interact with given sites over secure connections only. This overall policy is referred to as Strict Transport Security.
Strict-Transport-SecurityHTTP Response Header Field
Strict-Transport-SecurityResponse Header Field Processing
This section is non-normative.
The HTTP protocol [RFC2616] may be used over various transports, typically the Transmission Control Protocol (TCP) [RFC793]. However, TCP does not provide channel integrity protection, confidentiality, nor secure server identification. Thus the Secure Sockets Layer (SSL) protocol [SSL3], and its successor Transport Layer Security (TLS) [RFC4346], were developed in order to provide channel-oriented security, and are typically layered between application protocols and TCP. [RFC2818] specifies how HTTP is layered onto TLS, and defines the Universal Resource Identifier (URI) scheme of "https" (in practice however, HTTP user agents (UAs) typically offer their users choices among SSL2, SSL3, and TLS for secure transport). URIs themselves are specified in [RFC3986].
UAs employ various local security policies with respect to the characteristics of their interactions with web resources depending on (in part) whether they are communicating with a given web resource using HTTP or HTTP-over-a-Secure-Transport. For example, cookies ([RFC2109] and [RFC2965]) may be flagged as Secure. UAs are to send such Secure cookies to their addressed server only over a secure transport. This is in contrast to non-Secure cookies, which are returned to the server regardless of transport (although modulo other rules).
UAs typically annunciate to their users any issues with secure connection establishment, such as being unable to validate a server certificate trust chain, or if a server certificate is expired, or if a server's domain name appears incorrectly in the server certificate (see section 3.1 of [RFC2818]). Often, UAs provide for users to be able to elect to continue to interact with a web resource in the face of such issues. This behavior is sometimes referred to as "click(ing) through" security [GoodDhamijaEtAl05] [SunshineEgelmanEtAl09], and thus can be described as click-through insecurity.
Jackson and Barth proposed an approach, in [ForceHTTPS], to enable web sites and/or users to be able to declare that such issues are to be treated as fatal and without direct user recourse. The aim is to prevent users from unintentionally downgrading their security.
This specification embodies and refines the approach proposed in [ForceHTTPS], e.g. a HTTP request header field is used to convey site policy to the UA rather than a cookie.
This section is non-normative.
This section discusses the use cases, summarizes the Strict Transport Security (STS) policy, and continues with a discussion of the threat model, non-addressed threats, and derived requirements.
The overall applicable use case here is a combination of these two use cases:
Web browser user wishes to discover, or be introduced to, and/or utilize various web sites (some arbitrary, some known) in a secure fashion.
Web site deployer wishes to offer their site in an explicitly secure fashion for both their own, as well as their users', benefit.
The characteristics of the Strict Transport Security policy, as applied to some given web site, known as a STS Server, is summarized as follows:
Insecure ("http") connections to a STS Server are redirected by the STS Server to be secure connections ("https").
The UA terminates, without user recourse, any secure transport connection attempts upon any and all errors, including those caused by a site wielding self-signed certificates.
UAs transform insecure URI references to a STS Server into secure URI references before dereferencing them.
STS is concerned with three threat classes: passive network attackers, active network attackers, and imperfect web developers. However, it is explicitly not a remedy for two other classes of threats: phishing and malware. Addressed and not addressed threats are briefly discussed below. Readers may wish refer to [ForceHTTPS] for details as well as relevant citations.
When a user browses the web on a wireless network, a nearby attacker can eavesdrop on unencrypted connections, such as HTTP requests. Such a passive network attacker can steal session identifiers and hijack the user's session, by obtaining cookies containing authentication credentials for example. Such passive eavesdropping attacks are easily performed using wireless sniffing toolkits.
To mitigate this threat, some sites permit, but usually do not force, access using secure transport -- e.g. by employing "https" URIs. This can lead users to believe that accessing such services using secure transport protects them from passive network attackers. Unfortunately, this is often not the case in real-world deployments as session identifiers are often stored in non-Secure cookies to permit interoperability with versions of the service offered over insecure transport. For example, if the session identifier for a web site (an email service, say) is stored in a non-Secure cookie, it permits an attacker to hijack the user's session if the user makes a single insecure HTTP request to the site.
A determined attacker can mount an active attack, either by impersonating a user's DNS server or, in a wireless network, by spoofing network frames or offering a similarly-named evil twin access point. If the user is behind a wireless home router, an attacker can attempt to reconfigure the router using default passwords and other vulnerabilities. Some sites, such as banks, rely on secure transport to protect themselves and their users from such active attackers. Unfortunately, browsers allow their users to easily opt-out of these protections in order to be usable for sites that incorrectly deploy secure transport, for example by generating and self-signing their own certificates (without also distributing their CA certificate to their users' browsers).
The security of an otherwise uniformly secure site (i.e. all of its content is materialized via "https" URIs), can be compromised completely by an active attacker exploiting a simple mistake, such as the loading of a cascading style sheet or a SWF movie over an insecure connection (both cascading style sheets and SWF movies can script the embedding page, to the surprise of many web developers -- most browsers do not issue mixed content warnings when insecure SWF files are embedded). Even if the site's developers carefully scrutinize their login page for mixed content, a single insecure embedding anywhere on the site compromises the security of their login page because an attacker can script (control) the login page by injecting script into the page with mixed content.
"Mixed content" here refers to the same notion referred to as "mixed security context" later elsewhere in this specification.
Phishing attacks occur when an attacker solicits authentication credentials from the user by hosting a fake site located on a different domain than the real site, perhaps driving traffic to the fake site by sending a link in an email message. Phishing attacks can be very effective because users find it difficult to distinguish the real site from a fake site. STS is not a defense against phishing per se; rather, it complements many existing phishing defenses by instructing the browser to protect session integrity and long-lived authentication tokens [ForceHTTPS].
Because STS is implemented as a browser security mechanism, it relies on the trustworthiness of the user's system to protect the session. Malicious code executing on the user's system can compromise a browser session, regardless of whether STS is used.
This section identifies and enumerates various requirements derived from the use cases and the threats discussed above, and lists the detailed core requirements Strict Transport Security addresses, as well as ancillary requirements that are not directly addressed.
Minimize the risks to web browser users and web site deployers that are derived from passive and active network attackers, web site development and deployment bugs, as well as insecure user actions.
These core requirements are derived from the overall requirement, and are addressed by this specification.
Web sites need to be able to declare to UAs that they should be interacted with using a strict security policy.
Web sites need to be able to instruct UAs that contact them insecurely to do so securely.
UAs need to note web sites that signal strict security policy enablement, for a web site declared time span.
UAs need to re-write all insecure UA "http" URI loads to use the "https" secure scheme for those web sites for which secure policy is enabled.
Web site administrators need to be able to signal strict security policy application to subdomains of higher-level domains for which strict security policy is enabled, and UAs need to enforce such policy.
UAs need to disallow security policy application to peer domains, and/or higher-level domains, by domains for which strict security policy is enabled.
UAs need to prevent users from clicking-through security warnings. Halting connection attempts in the face of secure transport exceptions is acceptable.
A means for uniformly securely meeting the first core requirement above is not specifically addressed by this specification (see Bootstrap MITM Vulnerability). It may be addressed by a future revision of this specification or some other specification. Note also that there are means by which UA implementations may more fully meet the first core requirement, see UA Implementation Advice.
These ancillary requirements are also derived from the overall requirement. They are not normatively addressed in this specification, but could be met by UA implementations at their implementor's discretion, although meeting these requirements may be complex.
Disallow "mixed security context" (also known as "mixed-content") loads (see section 5.3 "Mixed Content" in [W3C-WebSecGuide-UI]).
Facilitate user declaration of web sites for which strict security policy is enabled, regardless of whether the sites signal STS Policy.
This specification is written for servers and user agents (UAs).
As well as sections and appendices marked as non-normative, all diagrams, examples, and notes in this specification are non-normative. Everything else in this specification is normative.
In this specification, the words MUST, must not, and may, and should are to be interpreted as described in [RFC2119].
A conformant server is one that implements all the requirements listed in this specification that are applicable to servers.
A conformant user agent is one that implements all the requirements listed in this specification that are applicable to user agents.
..is a note.
Some of the more major known issues are marked like this.
this is how a warning is shown.
Terminology is defined in this section.
ASCII case-insensitive comparison means comparing two strings exactly, codepoint for codepoint, except that the characters in the range U+0041 .. U+005A (i.e. LATIN CAPITAL LETTER A to LATIN CAPITAL LETTER Z) and the corresponding characters in the range U+0061 .. U+007A (i.e. LATIN SMALL LETTER A to LATIN SMALL LETTER Z) are considered to also match. See [UNICODEv5.0] for details.
codepoint is a colloquial contraction of Code Point, which is any value in the Unicode codespace; that is, the range of integers from 0 to 10FFFF16 [UNICODEv5.0].
Domain Name: Domain Names, also
referred to as DNS Names, are defined in
[RFC1035] to be represented outside of
the DNS protocol itself (and implementations thereof) as a
series of labels separated by dots, e.g.
"example.com" or "yet.another.example.org".
In the context of this specification, Domain Names appear in
that portion of a URI satisfying the
production in "Appendix A. Collected ABNF for URI" in
component from the Host HTTP header field production in section
14.23 of [RFC2616].
The Domain Names appearing in actual URI instances and matching the aforementioned production components may or may not be FQDNs.
Domain Name Label: A domain name label is that portion of a Domain Name appearing "between the dots", i.e. consider "foo.example.com": "foo", "example", and "com" are all domain name labels.
Effective Request URI is a
URI that can be constructed by an HTTP server for any given HTTP
request sent to it. Some HTTP
requests do not contain a contiguous representation of the URI
identifying the resource being addressed by the HTTP request.
Rather, different portions of a resource's URI may be mapped to
Request-Line header field and the
Host header field in an HTTP request message
The HTTP server coalesces these URI fragments and constructs an
equivalent of the Request-URI that was used by the UA to
generate the received HTTP request message.
FQDN is an acronym for Fully-qualified Domain Name. A FQDN is a Domain Name that includes all higher level domains relevant to the named entity (typically a STS Server in the context of this specification). If one thinks of the DNS as a tree-structure with each node having its own Domain Name Label, a FQDN for a specific node would be its label followed by the labels of all the other nodes between it and the root of the tree. For example, for a host, a FQDN would include the label that identifies the particular host, plus all domains of which the host is a part, up to and including the top-level domain (the root domain is always null) [RFC1594].
Known STS Server is a STS Server for which the UA has an STS Policy in effect.
Local policy is comprised of policy rules deployers specify and which are often manifested as "configuration settings".
MITM is an acronym for man-in-the-middle. See "man-in-the-middle attack" in [RFC4949].
Request URI is the URI used to cause a UA to issue an HTTP request message.
Strict Transport Security is the overall name for the combined UA- and server-side security policy defined by this specification.
Strict Transport Security Server is a HTTP server implementing the server aspects of the STS policy.
Strict Transport Security Policy is the name of the combined overall UA- and server-side facets of the behavior specified by this specification.
STS: See Strict Transport Security.
STS Policy: See Strict Transport Security Policy.
STS Server: See Strict Transport Security Server.
UA is a an acronym for user agent. For the purposes of this specification, a UA is an HTTP client application typically actively manipulated by a user [RFC2616] .
This section defines the syntax of the new header this specification introduces. It also provides a short description of the function the header.
The Server Processing Model section details how servers are to use this header. Likewise, the User Agent Processing Model section details how user agents are to use this header.
Strict-Transport-SecurityHTTP Response Header Field
Strict-Transport-Security HTTP response header
field indicates to a UA that it must enforce the
STS Policy in regards to the server emitting the
response message containing this header field.
The ABNF [RFC2616] syntax for the
HTTP Response Header field is:
Strict-Transport-Security = "Strict-Transport-Security" ":" "max-age" "=" delta-seconds [ ";" "includeSubDomains" ]
max-age specifies the number of
seconds the UA should remember receipt of this
header field from this server. The
production is specified in [RFC2616].
includeSubDomains is a flag which, if present,
signals to the UA that the STS Policy
applies to this STS Server as well as any subdomains of the server's
[RFC2616] is used as
the ABNF basis in order to ensure that the new header has
equivalent parsing rules to the header fields defined in that same
specification. Note also that [RFC2616]
ABNF has a notion of implied linear white space ("implied
*LWS"), meaning that linear white space may occur between
adjacent words and separators in
HTTP Response Header instantiations.
This section describes the processing model that STS Servers implement. The model is comprised of two facets: the first being the processing rules for HTTP request messages received over a secure transport (e.g. TLS [RFC4346], SSL [SSL3], or perhaps others, the second being the processing rules for HTTP request messages received over non-secure transports, i.e. over TCP/IP [RFC793].
When replying to an HTTP request that was conveyed
over a secure transport, a STS Server must include a
Strict-Transport-Security HTTP Response Header that
satisfies the syntax given above.
If a STS Server receives a HTTP request message
over a non-secure transport, it should send a
HTTP response message containing a
301 and a
Location header field value
containing either the HTTP request's original Effective
Request URI altered as necessary to have a URI scheme
HTTPS, or a URI generated according to
local policy (which must employ
a URI scheme of
A STS Server
must not include the
Strict-Transport-Security HTTP Response Header in
HTTP responses conveyed over a non-secure
This section describes the Strict Transport Security processing model for UAs. There are several facets to the model, enumerated by the following subsections.
Also, this processing model assumes that all Domain Names manipulated in this specification's context are already in ASCII Compatible Encoding (ACE) format as specified in [RFC3490]. If this is not the case in some situation, use the operation given in Domain Name ToASCII Conversion Operation to convert any encountered internationalized Domain Names to ACE format before processing them.
Strict-Transport-SecurityResponse Header Field Processing
If an HTTP response, received over a secure transport,
HTTP Response Header field and there are no underlying secure transport
errors, the UA must:
If the substring matching the
host production from the
Request-URI, that the server
responded to, syntactically
productions from section 3.2.2 of [RFC3986], then
the UA must not note
this server as a Known STS Server.
Otherwise, if the substring does not congruently match a presently known STS Server,
per the matching procedure specified in Known STS Server Domain Name Matching,
the UA must
note this server as a Known STS Server, caching the STS Server's
Domain Name and noting along with it the expiry time of this information, as indicated
max-age, as well as whether the
flag is asserted or not.
A UA determines whether a Domain Name represents a Known STS Server by looking for a match between the query Domain Name and the UA's set of Known STS Servers.
Compare the query Domain Name string with the Domain Names of the UA's set of Known STS Servers. For each Known STS Server's Domain Name, the comparison is done with the query Domain Name label-by-label using an ASCII case-insensitive comparison beginning with the rightmost label, and continuing right-to-left, and ignoring separator characters (see clause 3.1(4) of [RFC3986]).
If a label-for-label match between an entire Known STS Server's Domain Name and a right-hand portion of the query Domain Name is found, then the Known STS Server's Domain Name is a superdomain match for the query Domain Name.
Query Domain Name: bar.foo.example.com Superdomain matched Known STS Server DN: foo.example.com
At this point, the query Domain Name is ascertained to effectively represent a Known STS Server. There may also be additional matches further down the Domain Name Label tree, up to and including a congruent match.
If a label-for-label match between a Known STS Server's Domain Name and the query domain name is found, i.e. there are no further labels to compare, then the query Domain Name congruently matches this Known STS Server.
Query Domain Name: foo.example.com Congruently matched Known STS Server DN: foo.example.com
Whenever the UA prepares to "load",
also known as "dereference",
any URI where the
host production of the URI
matches that of a Known STS Server --
either as a congruent match or as a superdomain match where the
superdomain Known STS Server has
includeSubDomains asserted --
and the URI's scheme is
then replace the URI scheme with "https"
before proceeding with the load.
When connecting to a Known STS Server, the UA must terminate the connection with no user recourse if there are any errors (e.g. certificate errors) with the underlying secure transport (regardless of what header fields are in any response).
UAs must not heed
attribute settings on
<meta> elements in
This operation converts a string-serialized Domain Name possibly containing arbitrary Unicode characters [UNICODEv5.0] into a string-serialized Domain Name in ASCII Compatible Encoding (ACE) format as specified in [RFC3490].
The operation is:
Apply the IDNA conversion operation (section 4 of [RFC3490]) to the string, selecting the ToASCII operation and setting both the AllowUnassigned and UseSTD3ASCIIRules flags.
This section is non-normative.
STS Policy expiration time considerations:
Server implementations and deploying web sites need to
consider whether they are setting an expiry time that is a
constant value into the future, e.g. by constantly sending the same
max-age value to UAs. Or,
whether they are setting an expiry time that is a fixed point
in time, e.g. by sending
max-age values that
represent the remaining time until the expiry time.
A consideration here is whether a deployer wishes to have signaled STS Policy expiry time match that for the web site's domain certificate.
Considerations for using Strict Transport Security in conjunction with self-signed public-key certificates:
If a web site/organization/enterprise is generating their own secure transport public-key certificates for web sites, and that organization's root certificate authority (CA) certificate is not typically embedded by default in browser CA certificate stores, and if STS Policy is enabled on a site wielding that organization's certificates, then secure connections to that site will fail without user recourse, per the STS design. This is to protect against various active attacks, as discussed above.
However, if said organization strongly wishes to employ self-signed certificates, and their own CA in concert with STS, they can do so by deploying their root CA certificate to their users' browsers. There are various ways in which this can be accomplished (details are out of scope for this specification). Once their root CA cert is installed in the browsers, they may employ STS Policy on their site(s).
Interactively distributing root CA certs to users, e.g. via email, and having the users install them, is arguably training the users to be susceptible to a possible form of phishing attack, see Bogus Root CA Certificate Phish plus DNS Cache Poisoning Attack.
This section is non-normative.
In order to provide users and web sites more effective protection, UA implementors should consider including features such as:
Disallowing "mixed security context" (also known as "mixed-content") loads (see section 5.3 "Mixed Content" in [W3C-WebSecGuide-UI]).
In order to provide behavioral uniformity across UA implementations, the notion of mixed security context aka mixed-content will require (further) standardization work, e.g. to more clearly define the term(s) and to define specific behaviors with respect to it.
In order to provide users effective controls for managing their UA's caching of STS Policy, UA implementors should consider including features such as:
In order to provide users and web sites more complete protection, UAs could offer advanced features such as these:
Ability for users to explicitly declare a given Domain Name as representing a STS Server, thus seeding it as a Known STS Server before any actual interaction with it. This would help protect against the bootstrap MITM vulnerability.
Such a feature is difficult to get right on a per-site basis -- see the discussion of "rewrite rules" in section 5.5 of [ForceHTTPS]. For example, arbitrary web sites may not materialize all their URIs using the "https" scheme, and thus could "break" if a UA were to attempt to access the site exclusively using such URIs. Also note that this feature would complement, but is independent of the following described facility.
Facility whereby web site administrators can have UAs pre-configured with STS Policy for their site(s) by the UA vendor(s) -- in a manner similar to how root CA certificates are embedded in browsers "at the factory". This would help protect against the bootstrap MITM vulnerability.
Such a facility complements the preceding described feature.
These latter items beg the question of having some means of secure web site metadata and policy discovery and acquisition. There is extant work that may be of interest, e.g. the W3C POWDER work, OASIS XRI/XRD work (as well as XRDS-Simple), and "Link-based Resource Descriptor Discovery" (draft-hammer-discovery-03).
This section is non-normative.
STS could be used to mount certain forms of DoS attacks, where attackers set fake STS headers on legitimate sites available only insecurely (e.g. social network service sites, wikis, etc.).
The bootstrap MITM (Man-In-The-Middle) vulnerability is a vulnerability users and STS Servers encounter in the situation where the user manually enters, or follows a link, to a STS Server using a "http" URI rather than a "https" URI. Because the UA uses an insecure channel in the initial attempt to interact with the specified serve, such an initial interaction is vulnerable to various attacks [ForceHTTPS].
There are various features/facilities that UA implementations may employ in order to mitigate this vulnerability. Please see UA Implementation Advice.
Active network attacks can subvert network time protocols (like NTP) - making this header less effective against clients that trust NTP and/or lack a real time clock. Network time attacks are therefore beyond the scope of the defense. Note that modern operating systems use NTP by default.
If an attacker can convince users of, say,
https://bank.example.com (which is protected by STS Policy), to install their own version of a root CA certificate purporting to be bank.example.com's CA, e.g. via
a phishing email message with a link to such a certificate -- then, if they can perform an attack on the users'
DNS, e.g. via cache poisoning, and turn on STS Policy for their fake bank.example.com site, then
they have themselves some new users.
Below is the Internet Assigned Numbers Authority (IANA) Provisional Message Header Field registration information per [RFC3864].
Header field name: Strict-Transport-Security Applicable protocol: HTTP Status: provisional Author/Change controller: TBD Specification document(s): this one
This appendix is non-normative.
This appendix documents various design decisions.
Cookies aren't appropriate for STS Policy expression as they are potentially mutable (while stored in the UA), therefore an HTTP header field is employed.
We chose to not attempt to specify how "mixed security context loads" (aka "mixed-content loads") are handled due to UA implementation considerations as well as classification difficulties.
A STS Server may update UA notions
of STS Policy via new STS header field
values. We chose to have UAs honor the
"freshest" information received from a server
because there is the chance of a web site sending out an
errornous STS Policy, such as a multi-year
max-age value, and/or an incorrect
includeSubDomains flag. If the
STS Server couldn't correct such errors over
protocol, it would require some form of annunciation to
users and manual intervention on their part, which could be
a non-trivial problem.
STS Servers are identified only via Domain Names -- explicit IP address identification of all forms is excluded. This is for simplification and also is in recognition of various issues with using direct IP address identification in concert with PKI-based security.
This appendix is non-normative.
The authors thank Michael Barrett, Sid Stamm, Maciej Stachowiak, Andy Steingrubl, Brandon Sterne, Daniel Veditz for their review and contributions.