June 9, 2015 10:00 am

HTTP Strict Transport Security comes to Internet Explorer 11 on Windows 8.1 and Windows 7

In February, we released the first preview of HTTP Strict Transport Security in Internet Explorer 11 in the Windows 10 Insider Preview. The HTTP Strict Transport Security (HSTS) policy protects against variants of man-in-the-middle attacks that can strip TLS out of communications with a server, leaving the user vulnerable.

With today’s monthly security updates (KB 3058515), we’re bringing the protections offered by HSTS to Internet Explorer 11 on Windows 8.1 and Windows 7. HSTS is also available in both Internet Explorer 11 and Microsoft Edge on Windows 10.

Site developers can use HSTS policies to secure connections by opting in to an HSTS preload list, which registers websites to be hardcoded by Microsoft Edge, Internet Explorer, and other browsers to redirect HTTP traffic to HTTPS. Communications with these websites from the initial connection are automatically upgraded to be secure. Like other browsers which have implemented this feature, Microsoft Edge and Internet Explorer 11 base their preload list on the Chromium HSTS preload list.

Alternatively, sites not on the preload list can enable HSTS via the Strict-Transport-Security HTTP header. After an initial HTTPS connection from the client containing the HSTS header, any subsequent HTTP connections are redirected by the browser to be secured via HTTPS.

When we initially announced HSTS in Windows 10, we noted that mixed content is not supported on servers supporting HSTS. With today’s updates, this is still the case in Microsoft Edge on Windows 10 – mixed content is always blocked on these servers. For Internet Explorer 11 on Windows 10, Windows 8.1, and Windows 7, the Information bar will prompt the user to proceed in mixed content scenarios.

In addition to the HSTS updates, this month’s Internet Explorer updates include 24 security fixes, which you can see detailed on TechNet for more details. For more on the HSTS implementation in Internet Explorer, see KB 3071338.

Kyle Pflug, Program Manager, Microsoft Edge

Updated June 10, 2015 8:46 am

Join the conversation

  1. How fast are you going to sync the list?

    How can we check if a certain site is in HSTS preload list of IE/Edge? Equivalent of chrome://net-internals/#hsts ?

        • Simply take the “%C2%A0” off of the end of the link to make this work.

          I second Riasat’s comment about the chrome equivalent. I had Fiddler open to debug something and now I can no longer use IE to debug said site UNLESS I have Fiddler running. Definitely need a way to clear the HSTS list. =/

  2. “The HTTP Strict Transport Security (HSTS) policy protects against variants of man-in-the-middle attacks that can strip TLS out of communications with a server, leaving the user vulnerable.”

    HSTS has no affect on MiTM attacks that can strip TLS out of communications, all it does is state the websites or browsers preference to use SSL. Any HTTPS/SSL Interception methods that were possible before HSTS are still going to be just as effective…

    • Here’s an example case HSTS helps address (from our February post announcing HSTS in Internet Explorer): A user may initially connect to a non-encrypted version of a website before being redirected to a secure connection. An attacker exploiting the non-encrypted connection could redirect the user to a malicious site. HSTS mitigates this attack vector by allowing sites to specify that the browser should always use a secure connection to the server.

  3. How about IIS. Do it support HSTS native now, too ?

    Cause just add header will not comply to RFC
    “An HSTS Host MUST NOT include the STS header field in HTTP responses conveyed over non-secure transport.”

  4. How to deal with the captive portal when browser a hsts website? for example: https://www.facebook.com, it seems there is no preceed button to ignore the IE warning.
    So, user can not get the captive portal webpage. Is there any way to solve it?

    Thanks!