HSTS (HTTP Strict Transport Security)

HSTS (HTTP Strict Transport Security, RFC 6797) est un header HTTP réponse qui indique au navigateur de toujours utiliser HTTPS pour le domaine, refusant tout downgrade vers HTTP. Protection contre SSL stripping attacks où attaquant MITM intercepte tentative initiale HTTP avant redirect HTTPS.

Format header : `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload`

Paramètres :
(1) **max-age** — durée (secondes) pendant laquelle navigateur applique HSTS pour ce domaine. Recommended : 1 an (31536000) minimum, 2 ans (63072000) pour production.
(2) **includeSubDomains** — applies aussi à tous subdomains. Careful : doit s'assurer TOUS subdomains servent HTTPS valides.
(3) **preload** — opt-in to HSTS Preload List (Chrome, Firefox, Safari, Edge embed la liste — navigateur sait que domain est HTTPS-only même first visit, eliminating window vulnérable).

HSTS Preload List (hstspreload.org) :
- Submit domain pour inclusion dans built-in browser lists.
- Requirements : max-age ≥ 1 year, includeSubDomains, preload directive, valid HTTPS sur root + all subdomains.
- Removal difficile (months to propagate) — décision réfléchie.

Protection contre :
(1) **SSL stripping** (sslstrip attack) — attacker MITM intercepts HTTP request before redirect to HTTPS, downgrade attack. HSTS prevents this.
(2) **Mixed content** — HTTPS page loading HTTP resources blocked.
(3) **Cookie hijacking** via HTTP.
(4) **Captive portals** prompting fake login pages.

Limitations :
(1) **TOFU** (Trust On First Use) — first visit before HSTS header received is vulnerable (solved by preload list).
(2) **DNS hijacking** — HSTS doesn't prevent attackers controlling DNS redirecting domain ; complementary defenses needed (DNSSEC, DANE).
(3) **Removing HSTS** — accidentally enabling preload then needing to revert is painful (browsers cached for years).

Deployment best practices :
(1) Start with **short max-age** (300s) testing.
(2) Gradually increase to 1 year after confidence.
(3) Add **includeSubDomains** after verifying all subdomains.
(4) Add **preload** after stable months, submit to preload list.
(5) **Monitor** for accidental HTTP-only subdomains (would break).
(6) Combine with **HTTPS redirect** (301 ou 308) at server.

Vendor support : tous browsers majeurs depuis 2013+. Now baseline security expectation. Compétences Security+, AZ-500.