CODEWITHSUNDEEP
httphttpshsts
user8705939
user8705939

Reputation:

Add Strict-Transport-Security header to all HTTPS responses?

While reading through https://hstspreload.org I noticed in section "Deployment Recommendations" that I should "Add the Strict-Transport-Security header to all HTTPS responses...".

Because of including HSTS-policy to all https responses sounds overkill to me, I examined a few websites to check if they really all include this header field in all their https responses. But not even google is doing it, e.g. https://www.google.com/doodles has no Strict-Transport-Security header field in the response.

So my question is when should a server response include HSTS-policy?

The options I see here are:

  1. include HSTS in every https response.
  2. include HSTS in every security relevant https response.
  3. include HSTS only for e.g. example.com but not for any paths like example.com/mypath
    • I mean sooner or later they gonna visit example.com anyway, no?
  4. include HSTS only if request has "upgrade-insecure-requests: 1" field
    • I noticed that Chrome is sending this request header field in security relevant stuff if HSTS was not set.

Upvotes: 1

Views: 3365

Answers (1)

Barry Pollard
Barry Pollard

Reputation: 45895

I don’t think it’s overkill to add it to every resource. It’s a very small header and ensures the best change of the HSTS policy being seen.

Many people even load a pixel from the base domain (e.g. www.example.com can load https://example.com/1pixel.png) to ensure the base domain HSTS policy is loaded as well. If you configure HSTS to only be delivered on documents then this is not picked up.

I certain would not include it only on the home page. That’s not a valid assumption to say that sooner or later they visit it.

What’s your concern here? You have a super optimised site that will be killed by serving this header with each resource? For CSP I’d understand where you were coming from as that header can get very large but for HSTS I really think you’re over thinking this. Also if using HTTP/2 then header compression solves this too. Plus the config needed to only return it on some resources would be added complexity and hassle you don’t really need.

Upvotes: 2

Related Questions