Learn about HTTP Strict Transport Security (HSTS) and why it’s important! 

What is HTTP Strict Transport Security (HSTS)? 

HTTP Strict Transport Security (HSTS) is a web security setting that is used to ensure that browsers are automatically redirected from HTTP to HTTPS. HSTS helps prevent manipulator-in-the-middle attacks such as cookie hijacking and protocol downgrade attacks. OMB Memo M-22-09 requested that agencies must enforce HSTS and submit domains for preloading. 

What is the Zero Trust Team doing? 

The Zero Trust Team is working on identifying which ‘cms.gov’ websites are not HSTS compliant, the reasons for it, and whether they are capable of being HSTS compliant. We utilized a tool from Hardenize to understand which URLs were not HSTS compliant. Hardenize is a tool that thoroughly evaluates the network and security setup of an external website. We identified a few reasons why a website may not be HSTS compliant:  

• the website uses HTTP but not HTTPS
• the certificate may be expired or misconfigured
• max-age value is less than the six months recommended
• may not include the ‘includeSubdomains’ directive in the HSTS header
• the website is HSTS eligible but has not been preloaded 

The Zero Trust Team retrieved the URLs from Hardenize and then we were tasked with identifying their owners and mapping them to FISMA systems. One method we used was matching the URLs from Hardenize to those on the System Census, which also listed the corresponding acronyms. Once we had the acronym, we could identify the owner in CFACTS. If the URLs were not on the System Census, we used other data sources like Confluence and Snowflake to match them to FISMA systems.  

Hardenize identified over 3,000 URLs, but only a little over 370 were web servers that were non-compliant with HSTS. The team has created a dashboard in Snowflake to help track the HSTS status and match URLs to FISMA systems. In the future, we will move this dashboard to Tableau, providing all of this information in one place. This will allow us to track websites progress in achieving HSTS compliance as we continue matching URLs. 

Takeaway and Next Steps 

By complying with OMB Memo M-22-09 helps to ensure that each website has enhanced security. Which in turn will have benefits such as preventing manipulator-in-the-middle attacks and enforcing HTTPS.  

It may take time, but the Zero Trust Team is diligently working on reaching this goal by mapping URLs to FISMA systems and identifying system owners. Once the team has identified all the non-compliant websites, we will contact system owners to explain why they are non-compliant and how to address it. 

In order for a domain to be preloaded, all subdomains must first be HSTS compliant. We need everyone’s help to get ‘cms.gov’ preloaded! You can check if your subdomain is HSTS compliant by visiting Hardenize and entering your website. The results will appear on the left-hand side under 'Strict Transport Security'.