Support Center > Search Results > SecureKnowledge Details
"HTTP Strict Transport Security" (HSTS) header handling in HTTPS Inspection
Solution

Background

"HTTP Strict Transport Security" (HSTS - RFC 6797) is an HTTP header that a web server can use to inform clients (such as web browsers) that the particular website can only be accessed using HTTPS (with SSL) rather than in clear text.

After noting an HSTS header in a server response, the browser "remembers" that the site has STS and will never use clear text in requests to it. This is useful in thwarting the SSL stripping attack.

In majority of the cases, HSTS does not affect HTTPS inspection, as it does not perform SSL stripping. HSTS header is allowed to go through, and the connection that the client opens is a valid HTTPS.

The only expected issue could be regarding Section 12.1 of the RFC 6797 that requires that any errors in the establishment of the HTTPS connection should be treated as a fatal error and no recourse should be given to the user. "No recourse" means that the user is simply blocked, without any possibility to override the decision.

If a user device connects to the Internet from behind a TLS proxy (such as Check Point's HTTPS Inspection) without trusting the proxy CA, then the device will get a warning screen for every HTTPS connection. For any site that has HSTS, this means that the user is blocked without recourse.

 

Recommendations

When using the HTTPS Inspection blade, this issue should be resolved by adding the HTTPS Inspection CA into the list of trusted certificates, which is a part of the blade's configuration requirements.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment