James Steidl - Fotolia

Why is preloading HTTP Strict Transport Security risky?

Despite being designed to improve security, infosec experts have warned against preloading the HSTS protocol. Learn about the risks of preloaded HSTS with Judith Myerson.

Even though it was designed to improve security, some infosec experts have recently warned against preloading the HTTP Strict Transport Security protocol. What are the risks that come with preloaded HSTS?

When a preload directive is added to the HTTP security header, all the subdomains are included in the preloaded list, as shown in this example of an HTTP Strict Transport Security policy:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload.

When a user enters a web address, the browser is directed by the HTTP Strict Transport Security policy to use HTTPS for all the subdomains. The max-age value indicates that the preloaded list will remain in effect for 31,536,000 seconds -- one year. This policy instructs the browser to use HTTPS for all the included subdomains over the course of the year and that all the web-accessible resources on the specified site must be accessible over HTTPS.

However, preloading this list can introduce three major risks. First, when subdomains are added to the list in error, removing erroneous domains after they are submitted to https://hstspreload.org/removal is not instantaneous. It can sometimes take a long time for the removal to propagate.

Second, changing the max-age directive -- for example, from one year to 90 days -- to force updates after adding subdomains is not possible, as the update may not be propagated until after the original maximum age directive expires.

Third, some intranets and delegated hosts are only accessible over HTTP, which negates the use HTTP Strict Transport Security.

Because some sites have both an intranet and a public site running under the same domain, each will have a different subdomain. Some sites delegate handling subdomains under their main domain to third-party companies that provide advertising, analytics and backup services. If the vendor's servers don't provide HTTPS support for a site that has been upgraded to HTTPS, all the requests to the domain and the included domains will fail.

One workaround is not using the preload directive and, if a preloaded list is used, starting with a lower maximum age expiry time -- 30 days -- to make sure all the subdomains have HTTPS support. Another workaround is using an HTTPS front end for an HTTP-only server -- which should be done before securing the back-end server.

Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)

Dig Deeper on Application and platform security