What is HSTS and how to activate it

what is hsts and how to activate it.

You may have confirmed that your website has SSL enabled and that the security lock icon in your browser is green. However, you may have forgotten about the HTTP security guard, HTTP Strict Transport Security (HSTS). What is HSTS, and how can it help keep your site secure?

What is HTTPS?

HyperText Transfer Protocol Secure (HTTPS) is a secure version of a website (HTTP). Encryption is enabled using the Secure Sockets Layer (SSL) protocol and validated with an SSL certificate. When you connect to an HTTPS website, the information transferred between the website and the user is encrypted.

This encryption helps protect you against data theft through Man-in-the-Middle-Attacks (MITM). The additional layer of security also helps a little to improve the reputation of your website. In fact, adding an SSL certificate is so easy that many web hosts will add it to your site for free. HTTPS still has some drawbacks, but HSTS is here and it can help fix it.

What is HSTS?

HSTS is a response header that informs the browser that the enabled website can only be accessed via HTTPS. This forces your browser to only be able to access the HTTPS version of the website and any resources on it.

You may not realize that even if you have correctly set up your SSL certificate and enabled HTTPS for your website, that the HTTP version is still available. This is true even if you have set up forwarding using 301 Permanent Redirection. Although the HSTS policy has been around for a while, it was only officially launched by Google in July 2016. Which is probably why you haven't heard much about it.

Enabling HSTS will stop SSL protocol attacks and cookie hijacking, two additional vulnerabilities in SSL-enabled websites. And besides making websites more secure, HSTS will make sites load faster by removing steps in the loading procedure.

What is SSL Stripping?

While HTTPS is a huge improvement over HTTP, it is not immune to hacking. SSL Stripping is a very common MITM hack for websites that uses redirects to send users from HTTP to HTTPS versions of their websites. The 301 (permanent) and 302 (temporary) redirects basically work like this:

 1. Users type google.com in the address bar of their browser.

 2. The browser initially tries to load http://google.com as default.

 3. Google.com is set up with a permanent 301 redirect to https://google.com.

 4. The browser sees the redirect and loads https://google.com instead.

With SSL stripping, hackers can use the time between step 3 and step 4 to block redirect requests and stop browsers from loading secure (HTTPS) versions of websites. When you access an unencrypted version of the website, any data you enter can be stolen.

Hackers can also redirect you to a copy of the website you are trying to access, and capture all of your data as you enter it, even if it looks secure. Google has implemented measures in Chrome to stop certain types of redirects. However, enabling HSTS should be something you do by default for all your websites from now on.

How To Enable HSTS And Stop SSL Stripping?

Enabled HSTS forces browsers to load secure versions of websites, and ignores redirects and other calls to open HTTP connections. This closes existing redirect vulnerabilities with 301 and 302 redirects.

There is a downside even to HSTS, and that is that the user's browser must view the HSTS header at least once before being able to utilize it for future visits. This means that they have to go through the HTTP > HTTPS process at least once, leaving them vulnerable the first time they visit a website that supports HSTS. To work around this, Chrome loads a list of websites that have HSTS enabled. Users can submit HSTS-enabled websites to their own preload list if they meet the required (simple) criteria.

Websites added to this list will be changed to future versions of Chrome updates. It ensures that everyone who visits your HSTS-enabled website in the updated version of Chrome will stay safe. Firefox, Opera, Safari, and Internet Explorer have their own HSTS preload lists, but they are all based on Chrome's list at hstspreload.org.

How To Enable HSTS On Your Website

To enable HSTS on your website, you must first have a valid SSL certificate. If you enable HSTS without SSL, your site will not be available to any visitors, so make sure your website and any subdomains work on HTTPS before proceeding. Enabling HSTS is quite easy. You just need to add headers to the .htaccess file on your site. The headers you need to add are:

Strict-Transport-Security: max-age=31536000; includeSubDomains

This adds a max-age access cookie for one year, which includes your website, and any subdomains. Once the browser accesses the website, it will not be able to access the HTTP version of the insecure website for a year. Make sure that all subdomains in this domain are included in the SSL certificate, and that HTTPS is enabled. If you forget this, the subdomain will not be accessible after you save the .htaccess file.

Websites that do not have the includeSubDomains option can expose visitors to privacy leaks by allowing subdomains to manipulate cookies. With includeSubDomains enabled, this cookie-related attack would not be possible.

Note: Before adding a maximum age of one year, test your entire website with a maximum age of five minutes using: max-age = 300;

Google even recommends that you test your website and its performance (traffic) at a rate of one week, and one month before applying the maximum age of two years.

Five minutes: Strict-Transport-Security: max-age=300; includeSubDomains

One week: Strict-Transport-Security: max-age=604800; includeSubDomains

One month: Strict-Transport-Security: max-age=2592000; includeSubDomains

Creating HSTS Preload List

By now you should be familiar with HSTS and why it is important for your site to use it. Keeping your website visitors safe online should be a key element of your site plan. To be eligible for the HSTS preload list that Chrome and other browsers use, your website must meet the following requirements:

1. Present a valid SSL certificate.

2. Redirect from HTTP to HTTPS on the same host, if you are listening on port 80.

3. Serve all subdomains over HTTPS. In particular, you must support HTTPS for www.subdomain if there is a DNS record for that subdomain.

4. Serve the HSTS header on the base domain for HTTPS requests:

  * Maximum age must be at least 31536000 seconds (1 year).

  * The includeSubDomains directive must be specified.

  * The preload directive must be specified.

  * If you serve additional redirects from your HTTPS site, those redirects must still have the HSTS header (not the page that redirects to).

If you want to add your website to the HSTS preload list, make sure you add the required preload tags. The “preload” option indicates that you want your website to be added to Chrome's HSTS preload list. The response header in the .htaccess will look like this:

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

I suggest you add your website to hstspreload.org. The requirements are fairly easy to fulfill, and they will help protect your website visitors, and potentially improve your website's search engine rankings.


So What is HSTS? HTTP Strict Transport Security (HSTS) is a web server directive that informs user agents and web browsers how to handle connections via response headers sent at the start and back to the browser.

Hopefully, this article about What is HSTS and how to activate it, gives you a little insight. Also, read an article about What is HTML? Learn Everything, Completely that you may need to know. Thank you.

Previous Post Next Post