HSTS stands for HTTP Strict Transport Security. The main objective of HSTS is to protect websites against various attacks like SSL strip, Cookie Hijacking, Downgrade attack etc.  RFC 6797 covers the exact IETF standardized functionality of HSTS. HSTS enables servers to declare to other entities (Web browsers, Applications etc) to communicate to the server only via HTTPS connection. This is done by web server by setting Strict-Transport-Security HTTP response header field.

NetScaler 12.0 appliances support HTTP strict transport security (HSTS) as an inbuilt option in SSL profiles and SSL virtual servers. For information on configuring this feature refer to CTX224172 - How to Enable HTTP Strict Transport Security (HSTS) on NetScaler 12.

Use Case

• Ramesh  wishes to interact with various web sites (some arbitrary, some known) in a secure fashion through a web browser.

• Banking.com wishes to offer their site in an explicitly secure fashion for their own, as well as their users', benefit.

Ramesh has user account in banking.com and is a regular user transacting through banking.com regularly. As usual Ramesh wants to transfer money to his friend and thus he accesses the website banking.com by typing URL www.banking.com.

In this case, browser converts this to http://www.banking.com.  Browser detects the name banking.com, communicates with DNS server and gets IP address for host server. 

Browser contact the IP address received on port 80. The banking website sends a redirect request to https://www.banking.com. SSL handshake and certificate verification happens leading to SSL connection establishment. The padlock in URL bar will change to green and will be in locked state.

Ramesh can now enter his credentials safely to make the required transaction.

Well, what can go wrong now? A man in the middle can intercept the resolving request for banking.com and send Ramesh his own server ip address. When request is made to the IP address on port 80 he can redirect Ramesh to his own slightly mispronounced website https://www.blanking.com. Ramesh might not notice the change and enter his credentials thereby giving his details to someone else.

Other possibility is when intruder presents his own certificate for banking.com and this time browser identifies it is not a trusted certificate and sends a pop up asking Ramesh if he wants to override this warning.  People , at times ignore warning messages and will end up falling in the trap of intruder.

How HSTS helps?

HSTS sends Strict-Transport-Security  flag set in the HTTP response header field. It also sends a value in the header which denotes the time for which the browser can keep the website under STS sites.

HSTS prevents scenarios mentioned above by making sure that they respond only to https request and doesn’t allow Ramesh to override the warning. Also in recent browser versions when the browser receives a HTTP request for a website under STS list, it will automatically makes a HTTPS request to the server thus helping users to be protected from these attacks. This cool feature can be enabled in NetScaler enabling actual backend servers to have this protection through NetScaler path as we do SSL offloading on NetScaler.

Instructions

To enable HSTS in NetScaler:

1. Rewrite Action
   First step is to create a rewrite action to insert STS header and life time value for this STS.
   Steps: Configuration >> AppExpert >> Rewrite >> Action >> “Select Add”
   Sample Configuration:
   Name: STS_Header (feel free to name it whatever you want to)
   Type: INSERT_HTTP_HEADER
   Header Name: Strict-Transport-Security
   Expression: "max-age=157680000"     <value is in secs>

   

2. Rewrite Policy
   Create rewrite policies and select the previously configured rewrite action.
   Name : HSTS_Policy
   Action: STS_Header           <previously created rewrite action>
   Expression: TRUE

   

3. Bind to Virtual Server
   Bind the policy to a NetScaler  Gateway vserver -> Policies -> Rewrite(Response) and then save the configuration.

To Test if the STS header is being inserted:

1. Access the vserver on which the STS rewrite policy was bound.
2. Run the Developer tool on the browser or fiddler to see the STS header being inserted.
3. We should see the STS header with max age as set in the policy.

CTX219901 - Configuring an SSL Policy Action for Inserting Client Certificate Thumbprint in the HTTP Header on NetScaler 11.1