Why HSTS header is required if http to https redirect is already present?

Question

We have a webserver running behind AWS ALB and a AWS CloudFront in-front on ALB. We have setup force http->https redirection in both CDN and ALB.

1. Do we still need to configure HSTS header ?

2. What are the disadvantages if we don't setup HSTS, when we have force https redirect enabled?

Answer 1

Consider the following attack (ssl stripping).

1. User enters "example.com" in the browser.
2. The browser sends request to http://example.com.
3. That redirects to https://
4. The browser requests https://example.com and all is well, right?

What if there is a man in the middle between the browser and these sites? HTTPS protects against man in the middle, so they can't do anything right?

1. User enters "example.com" in the browser.
2. The browser sends request to http://example.com.
3. Attacker hijacks this request and responds arbitrary content (eg. something that looks like the real one).
4. User entered example.com and got something that looks like it - user is happy, but is looking at a malicious page, on plain http. The attacker can even proxy the real page, replacing all https references with http, and serving appropriate content from a https site, the https connection in that case would be between the attacker and the https server, and not the user and the https server.

Of course the user can discover this if they are security aware and pay attention. Modern browsers now warn of insecure (=non-https) pages and so on. Still the best practice is to make the very first request on https too, so all this is not possible (because an attacker can't forge a valid certificate for https://example.com), and that's exactly what HSTS achieves.