What is HSTS?

HTTP Strict Transport Security is a must-have addition to your SSL certificate

HSTS or HTTP Strict Transport Security is a website security policy sent via HTTP header. It forces a user’s web browser to only make secure connections with a given website. This is important because it eliminates several potential attacks such as cookie hijacking and protocol downgrade attacks.

This is important because when you install an SSL certificate and migrate your website to HTTPS, you’re technically creating an entire new website. Every page, every URL now begins with https://. Those pages’ HTTP counterparts still exist though. Now, while best practice is to use 301 redirects to route traffic to the HTTPS site, the potential for a user to access your website unsecurely still exists.

HSTS prevents this by setting a Strict-Transport-Security parameter that forces all connects to be made securely and disregards any scripts that try to load assets over an unencrypted HTTP connection. HSTS is an IETF standard, RFC 6797, which was approved back in 2012.

What is the HSTS Preload List?

The HSTS preload list is essentially a database of websites that are known to be using HSTS. Websites must submit themselves to the list, which comes predownloaded in most popular browsers. The reason for the list is that HSTS does leave one, tiny attack vector open as a product of its nature. HTTP headers must be downloaded upon the initial connection which, as the name implies, still occurs via HTTP. With the right tools, on that very first insecure connection a hacker can strip down encryption, steal data or phish you.

The HSTS Preload List prevents this, the browser knows to connect securely the very first time to every site on the Preload list. One word of caution, make sure you’ve got everything working properly before you submit your name to the list. It’s actually possible to mess up HSTS and lock people out of parts of your site if you attempt to deploy with mixed content present. That’s not a big deal if you’re just playing around with the header on your own, but once you’re on the list every browser attempting to connect with your site is forced to do so via HTTPS, which means that if your SSL configuration triggers any sort of error access is essentially cut off. And you can’t just remove your name from the list. The list gets updated at the same intervals as the browsers (at best, once per month). So just like adding your site, removing it can take weeks.

All in all though, we definitely recommend setting up HSTS on your website. It’s a perfect complement to your SSL certificate.

How To Enable HSTS On Your Website

Here’s how to enable HSTS on the most popular web servers:

HSTS Header for Microsoft IIS Servers

protected void Application_BeginRequest(Object sender, EventArgs e) { switch (Request.Url.Scheme) { case "https": Response.AddHeader("Strict-Transport-Security", "max-age=31536000; includeSubDomains; preload"); break; case "http": var path = "https://" + Request.Url.Host + Request.Url.PathAndQuery; Response.Status = "301 Moved Permanently"; Response.AddHeader("Location", path); break; } }

HSTS Header for Nginx

Here’s the code to add to your site.conf file:

add_header Strict-Transport-Security 'max-age=300; includeSubDomains; preload; always;'

HSTS Header for lighttpd

You’ll want to add this to your config file, i.e. /etc/lighttpd/lighttpd.conf

server.modules += ( "mod_setenv" ) $HTTP["scheme"] == "https" { setenv.add-response-header = ("Strict-Transport-Security" => "max-age=300; includeSubDomains; preload") }

HSTS Header for Apache Web Server

You can add this to your .htaccess file:

# Use HTTP Strict Transport Security to force client to use secure connections only 
Header always set Strict-Transport-Security "max-age=300; includeSubDomains; preload"

How To Get Your Site On The HSTS Preload List

Once you’ve enabled HSTS on your website, you’ll want to add your site to the HSTS preload list. You can check your site’s eligibility and submit it at hstspreload.org.