What is the difference between Enable HSTS and Force HTTPS for Web Apps?

What is the difference between Enable HSTS and Force HTTPS for Web Apps?

  

Thanks.

Solution

Hi Harlin,

HSTS is a security measure that relies on the server sending a special response header. This will force the browser (if the browser supports this) to prevent requests from being sent through HTTP for that domain. So, the main difference between HTTPS and HSTS is at the client side.

You can find more information about HSTS here:

https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet

Cheers,

José

Solution

Thanks, to recap, so Force HTTPS is done by redirection in server side, HSTS is done by browser (client-side) by replacing all http:// with https:// after receiving special header? 

Hi Harlin,

That's basically it. Notice however that when you enable HSTS, you will also be Forcing HTTPS, it's selected automatically for you when you tick HSTS.

Why? Well, because not all browser versions support HSTS. For instance IE10 and below don't support it. In that case, browsers that don't support HSTS will ignore the header - which would leave the door open... in those cases, the server side Force HTTPS kicks in.