Brian Jackson - Fotolia

HTTP Strict Transport Security: What are the security benefits?

Google's use of HTTP Strict Transport Security aims to improve web browsing security. Expert Judith Myerson explains how HSTS can make the internet more secure.

Google recently announced that it plans to enforce HTTP Strict Transport Security for many of its top-level domains. What are the security benefits of HTTP Strict Transport Security? Are there any drawbacks?

Google plans to enforce HTTP Strict Transport Security (HSTS) whether or not SSL is used as a search engine optimization ranking signal. The security benefits of this are that HTTP Strict Transport Security provides trust, verifies the SSL certificate and guarantees the integrity of data. The lock icon in the address bar in the browser lets web visitors know the website connection is secure.

Verifying SSL certificates ensures that the organization installing the SSL certificate on a server is its legitimate owner. Being able to guarantee the integrity of data prevents a third party from intercepting and changing data going to and from the web server.

The HTTP Strict Transport Security preload list is built into all major browsers. The list can contain individual domains or subdomains, as well as top-level domains. Google has already implemented HSTS for some of its top-level domains, including .google, .foo and .dev, and is included in the HTTP Strict Transport Security preload list, as well. The browser changes to before sending the request. An organization should encrypt visitors' web data in one server, and then get it to a caching server.

The issue is the type of HTTPS implementation an organization chooses: free, paid or cloud-based. A paid implementation may be expensive, but it's easier to do across multiple domains; plus, it is valid for a year or more. The free implementation is only valid for 90 days, and it is incompatible with BlackBerry and Nintendo 3DS.

A bigger issue is that Google recently received a very low grade from -- a website run by Scott Helme to analyze and rate website response headers -- for not implementing all the necessary HTTP security response headers. reported that three response headers were not added to a server.

However, Google received credit for implementing two response headers to protect against click-jacking and cross-site scripting attacks. The browsers aren't forced to use the preload list, and the certificates -- which are most likely free -- are valid for 60 days, not for 90 days or a year.

Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)

Next Steps

Find out whether HTTP public key pinning is necessary for browser security

Dig Deeper on Application and platform security

Enterprise Desktop
  • Understanding how GPOs and Intune interact

    Group Policy and Microsoft Intune are both mature device management technologies with enterprise use cases. IT should know how to...

  • Comparing MSI vs. MSIX

    While MSI was the preferred method for distributing enterprise applications for decades, the MSIX format promises to improve upon...

  • How to install MSIX and msixbundle

    IT admins should know that one of the simplest ways to deploy Windows applications across a fleet of managed desktops is with an ...

Cloud Computing