What is HSTS? How to Use HTTP Strict Transport Security?

Hackers are capable enough to capture your network traffic from HTTP of any site, which relies on 301 redirects for switching between HTTP and HTTPS. Using this method, the hacker can strip down your SSL encryption and steal all your important information. The hacker can even create a fake login portal page, which makes it critical for your site to have HTTP Strict Transport Security. The following blog discusses more about it.

What is HSTS?

HSTS stands for HTTP Strict Transport Security, which is a web server directive informing the web browsers and user agents to handle the connection at the beginning and then the back of the browser.

In this way, the HSTS basically establishes the Strict Transport Security policy field, forcing the connections to occur over HTTPS encryption. It also disregards the script’s call to upload any particular resource in the domain across HTTP while preventing the users from acquiring any SSL certificates.

Accordingly, HSTS is one way to shield your web server, as well as web-hosting service, in maintaining its security. The HSTS is used by almost all the major browsers today.

Why should I use HSTS?

SEO Malaysia

The main goal of creating HSTS was to ensure that all the man-in-the-middle (MITM) attacks, which employ SSL stripping, can be avoided. SSL stripping is basically a technique in which the attacker makes the browser connect to a site that uses HTTP. In doing so, the hacker can then sniff packets, modify critical information, and intercept sensitive data. In this regard, HSTS is an effective way to prevent cookie hijacking.

How does HSTS work?

Most of the time, when you enter an URL in the web browser, the protocol part is ignored. For instance, many users type www.example.com instead of http://example.com.

In such cases, the browser makes HTTP request to www.example.com because it assumes that you want to navigate through the HTTP protocol. Accordingly, the web server usually returns a 301 response code or redirect, eventually pointing to the HTTPS site. This results in the browser making a connection to www.example.com.  At this stage, the HSTS security policy protection uses the HTTP response header:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

The aforementioned Strict-Transport-Security header provides particular instructions to the browser. Eventually, every connection made to the overall site and its subdomains for the entire next year will be received with an HTTPS connection. The HTTP connections, on the other hand, will not be allowed.

In case the browser requests to load any resource with HTTP, then it will have to make an HTTPS request instead. If the HTTPS version of the resource is not available, then the established connection will be terminated.

On the other hand, if the certificate from the browser is invalid, then you will not be allowed to make a connection. Usually, the certificate is not valid if it is approved by an unknown CA, self-signed, and expired. The browser will eventually display warming, so you can skip connecting with the website.

However, if the website has HSTS, then the browser will not permit you to circumvent the warning. You can then access the site by removing it from the HSTS list found within the browser.

The Strict-Transport-Security header is particular to the domain name and the given site. Accordingly, if you have an HSTS header for www.example.com, then the HSTS header will not work for example.com. It will, however, work for the www subdomain. This makes it essential that if you want full-fletch security for your website, then it should cover a call to the subdomain and eventually, get a Strict-Transport-Security header for the domain having includeSubDomains directive.

What is HSTS preloading, and how can it be used?

In order to ensure that your users stay protected from the first time they visit your website, you can add your website to the HSTS preload list found across the browser. Accordingly, the next version of the browser will automatically include your website in its static list of websites that can be only accessed via HTTPS and not HTTS.

How to check if HSTS is enabled?

There are numerous ways by which you can check if the HSTS policy is implemented on your site or not. You can use third-party tools, for instance, in order to scan a dummy site that has no security headers or content. You can also use the Google Chrome Devtools and click on the “Network” tab. This will allow you to see the headers tab and whether or not the HSTS value is being applied. For a WordPress site, there are separate online tools to see if the header has been applied on your website.

How to Enable HTTP Strict Transport Security (HSTS) Policy?

Before you can enable HTSTS policy, you should deploy an SSL certificate to your site and ensure that the HTTP to HTTPS redirection is operational. You can then connect your server using SSH. In this way, you can access the .htaccess file of your concerned application. The server can be connected to the server by either using the SSH client or employing the Cloudways integrated SSH terminal.

Once this is done, you are supposed to visit the specific directory where the Webroot can be found or only where the .htaccess file of your application is located. In most cases, it is usually in the public_html directory by default.

For editing the .htaccess file and adding the HSTS rule, you need to open the file. Once the file has been opened, you can press the I key in order to start the editing mode. You will find – – INSERT – 0 in the bottom of the screen once the key is pressed. This rule will ensure one-year max-age access for both the root domain and the subdomains of your website. Once the browser tries accessing the website, it cannot do so by using the HTTP version of the site for an entire year. Finally, you can press the ESC key in order to exit the editing mode.

 HSTS Impact on SEO

SEO Malaysia

You might find warnings from the SEO tools regarding 307 redirects when the site is added to the HSTS preload list. This usually happens if someone is trying to access your website from the unsecured HTTP protocol. In this way, a 307 redirect occurs instead of a 301 redirect.

However, even if your SEO tools are showing that the 301 redirects are not happening, it only means that the 307 redirects are occurring at the level of the browser while the 301 redirects are happening at the application level. For checking the redirects, you can use the redirect checker tools available online.

You can also get in touch with any digital marketing agency in Malaysia or your SEO Malaysia to evaluate your site’s redirect condition. Besides this, there are no significant impacts on your search engine result page rankings or other aspects of the SEO strategy.

Is HSTS Completely Secure?

digital marketing agency in Malaysia

When you visit any website for the first time, your connection will not be protected by HSTS. In case the site adds an HSTS header to your HTTP connection, then the header will be eventually ignored. This is particularly true because the attacker can add or remove headers when working on a man-in-the-middle attack. The HSTS header, therefore, is not entirely reliable until unless the site delivers it with the help of HTTPS.

It is also quite essential to remember that the HSTS needs to be refreshed every year. Its max-age is for maximum two value. In this way, the site will not be protected after the two years of you visiting the website. In other words, if you do not visit the website for two entire years, it is seen as a new site. On the other hand, if the HSTS header has the max-age of 0, then the browser will treat the website as a new site on every connection. Such headers are usually best for testing the HSTS.

Since you might want an improved protective connection, you can add layers of security through the HSTS preload list. The Chromium project has numerous list of sites that employ HSTS. The list is distributed across the browsers. When you add your site to the preload list, the browser will check the internal list. In this way, your site can never be accessed using HTTP even when the first connection is attempted. This method can be used with all the major browsers, including Chrome, Opera, Safari, Edge, IE11, and Firefox.

In The End

The HTTP Strict Transport Security (HSTS) is a crucial security protocol that you should not ignore when building your website on the search engine. We recommend you evaluate whether or not your site has the header applicable and operational. In doing so, you should also get an authentic SSL certificate and ensure that your website is available in the HSTS preload list In this way, your customers can also access your website without any issue and security concerns.