HSTS Web Security Policy


  • This application demonstrates the HTTP Strict Transport Security (HSTS) web security policy that helps protect websites against attacks such as SSLStrip.

  • We assume that you are already familiar with SSLStrip. If not please visit our SSLStrip demonstration page first click here.
  • In this demonstration, four containers will be created for you; one each for the victim and hacker and two server containers; one that enforces HSTS and one that doesn't.

  • The hacker container comes preloaded with the necessary applications that you will need to perform a SSLStrip attack on the victim.

  • As in the SSLStrip case, the victim container is a web emulation of a basic Ubuntu Linux machine with a terminal and Firefox browser.

  • If you recall, a hacker performing an SSLStrip attack on the victim, replaces HTTPS links with HTTP, causing the victim to unknowingly communicate via cleartext HTTP with the hacker.

  • The HSTS policy is intended to protect against such protocol downgrade attacks, by having the server require web browsers to only interact with it via HTTPS.

  • Servers enforce this requirement by using a special HTTP response header field named "Strict-Transport-Security".

  • In this demonstration, you will essentially repeat the steps for performing an SSLStrip attack and compare the results when using a server that does not enforce HSTS versus a server that enforces HSTS.


  • Ready to go? Try It !
  • Note: You will have around 20 minutes to test this application.