Secure HTTP without HSTS

By | April 11, 2017

In the previous post I showed how to enable HSTS so that all HTTP traffic to a website is secured. As cool as that is, the unfortunate reality is that it is not always possible to secure all HTTP traffic for a website especially when dealing with some legacy technology. 

Often when dealing with legacy systems some sections of your website needs to run in an unsecure manner while the site is being prepared to run under HTTPS in its entirety. So the module is aimed as a temporary solution only.

Note that a website is not really secure unless the entire site can transact under https only.

So how does one go about enforcing secure HTTP for the majority of your site while whitelisting some pages to be accessed in a unsecure manner? I had the exact problem and so set out to find a solution. It is possible to do it with the url rewrite module that I briefly touched on in the previous post but unfortunately I had some restrictions that prevented me from using the url rewrite module.

In the end I wrote a custom HttpModule in C#. The module is configuration driven and enforces secure http connections but also allows the developer to specify a whitelist of uri’s that are allowed to be unsecured. I have to say that you do not actually want to do this. This is not how you #DoITRight, #DoItOnce. Ideally you should enable HSTS as described in the previous post. The module that I have written to secure http without HSTS can be found here.

Once the module is downloaded and referenced in your project some configuration is required.

Add the following in the configSection of the web.config.

<sectionGroup name="HttpSecureGroup">
<section name="HttpSecureSection"
type="SecureHttpModule.Configuration.HttpSecureSection"
allowLocation="true"
allowDefinition="Everywhere"/>
</sectionGroup>

Then load the module itself.

<system.webServer>
<modules>
<add name="HttpRedirect" type="SecureHttpModule.HttpRedirect"/>
</modules>
</system.webServer>

Now configure the module.

  1. The HttpSecureSection has a property called secureOption. Possible values are SecureAll & SecureAllExceptOptOut
  2. Add the whitelist urls to the OptOut section as in the example below.
<HttpSecureGroup>
<HttpSecureSection secureOption="SecureAllExceptOptOut">
<OptOut>
<add uri="http://WayneCliffordBarker.co.za/About.html" />
</OptOut>
</HttpSecureSection>
</HttpSecureGroup>

Note, although we are enforcing the site to transact in a secure manner, this does not protect the end consumer against a man in middle attack.

You might also be interested in these posts; all related the POODLE vulnerability.

Securing Http with HSTS in IIS
How to disable insecure cipher suits
Enable secure cookies over HTTPS.

One thought on “Secure HTTP without HSTS

  1. Pingback: Securing Http with HSTS in IIS – Wayne Clifford Barkers' Blog

Leave a Reply

Your email address will not be published. Required fields are marked *