HSTS technology: what is it?

HSTS technology: what is it?

To ensure a high level of security for the user’s connection to the site server, it is recommended to use such technology as HSTS. What is it for and how to activate it on your website, we will talk below.

Direct Line
Who are we

Largest agency
Internet marketing outside the Moscow Ring Road:
1200+ projects
65 specialists
fourteen years on the market
TOP 10
the best online promotion companies in Russia 2020

Commercial offer

What is HSTS?

Several years ago, webmasters began to install SSL certificates on their resources in order to increase the level of safety of user data. However, if you understand the technology, then it may not be enough for maximum security. The thing is that the user, entering the domain address in the browser line, first gets to the unprotected version of the site, and after that he is redirected to the version with the HTTPS protocol. This server operating principle allows attackers to gain access to user data in a variety of ways. The HSTS technology can solve this problem.

The essence of its work lies in the fact that the browser receives a protected HTTP Strict Transport Security header, and this can happen even on the user’s first visit to the resource (if the domain is added to the Preload List). This header tells the browser to enable a secure HTTPS connection, i.e. only this version of the connection becomes available, and unsecured HTTP is no longer served. In other words, it will no longer be possible to intercept a browser request at the time of a redirect from HTTP to HTTPS.

An interesting point, if the HSTS mechanism is activated, then if there are pages on the site that work using an unprotected protocol, access to them will automatically be closed. The same situation will arise if the SSL certificate has expired.

How to implement HSTS?

On the first visit to the site, the user gets an unsecured connection even when using HSTS. To get the most out of the implementation of this mechanism, you need to add the domain to a special Preload List – a list of sites created by Google. This listing is supported by most browsers, and to check if a site is in this list, you can use one of the specialized services (for example, ssllabs.com). The Preload List lists domains that use the HSTS header mechanism with the maximum expiration date set and the preload flag.

But before adding a domain to the listing, you need to understand that after that, the site will no longer be accessible via the HTTP protocol in principle – only a connection via HTTPS will be possible. Therefore, you need to be sure that you plan to permanently use the SSL certificate, while not forgetting to renew it in time.

Installing the certificate

The first step towards activating HSTS technology will be the correct installation of the SSL certificate. Most of the leading hosting providers provide this service. We will not focus on the principles of choosing a certificate, let’s just say that, as a rule, they are purchased for one year, then extended (or reissued).

After installation, it is important to check the operation of the settings – there should be an automatic redirection from the HTTP protocol to HTTPS, if everything is in order, let’s move on.

Configuring HSTS

There are two options here: activating the mechanism through the capabilities of the hosting provider’s personal account. In this case, everything is pretty simple. And the second is manual server configuration, let’s talk about it below.

You must first select a title option:

  • Strict-Transport-Security: max-age = – defines the duration of HSTS for the specified domain.
  • Strict-Transport-Security: max-age = ; includeSubDomains – also defines the validity period, but the action applies not only to the domain, but also to its subdomains.
  • Strict-Transport-Security: max-age = ; preload – in addition to defining HSTS expiration dates, it indicates to the user’s browser that this domain is in the Preload List.

Header directives:

  • max-age – present in any title option and is required. Tells the user’s browser how long to store the connection type in seconds. Typically, the retention periods are 31536000 and 63072000 (1 and 2 years, respectively). You can also set the value to 0, in which case the browser will reset the connection information every time the user visits.
  • Includesubdomains – if the domain contains subdomains, then this directive is set in the header. To ensure a high level of connection security, it is recommended to link each subdomain to the main one.
  • Preload – This directive indicates that the site supports HSTS preloading and is added to the Preload List.

Example header:

Strict-Transport-Security: “max-age = 31536000;” preload

This header conveys the following information to the browser: the header is valid for 1 year (31536000 seconds), the domain has been added to the listing base. If during this period the SSL certificate ceases to be valid on the site, the browser will automatically terminate the connection.

Apache configuration

If the server runs on Apache, then to activate HSTS, you need to add the following parameters to its configuration file:

  Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;"

In this case, the validity period is 1 year, the title itself will be updated every time you visit the resource. At the same time, to redirect to pages using the HTTPS protocol, you should add the parameter (domain.com is your domain):

<VirtualHost *:80>
  ServerName domain.com
  Redirect permanent / https://domain.com/

Setting for Ngnx

Similarly, by adding additional parameters to the configuration file, which, as a rule, is located along the path “/etc/nginx/conf.d”. The parameters are a pre-written title from the options listed above.

Ngnx allows you to use only the option with a secure or unsecured connection on one server. Simultaneous support for these protocols is not supported.

Adding to Preload List

This is an optional step, but if you plan to constantly use an SSL certificate on the site, then to ensure the most secure connection, it is recommended to add the domain to the listing. It was already mentioned above that after adding a site there, all modern browsers will stop opening unprotected pages. If you need to disable HSTS, it will take at least several months of waiting to remove the domain from the listing. Therefore, before adding, it is worth considering all the nuances.

So, the algorithm of actions:

  1. Install a valid SSL certificate on the server.
  2. The redirect from HTTP to HTTPS should work correctly, all redirects should be checked. Remember, if any page is not accessible via HTTPS, after adding to the listing, it will be inaccessible in principle.
  3. Configure the server to transmit the Strict Transport Security header.
  4. Online https://hstspreload.org get acquainted with the information, and the addition takes place in a special form.

HSTS check

After setting up HSTS, its operation must be checked for errors. This can be done in the following ways:

  1. On the Apache side using CURL (where domain.com is the name of the checked domain):

          $ curl -s -D- https://domain.com | grep Strict Strict-Transport-Security: max-age=31536000; includeSubdomains;
  2. Using services:

    • page-speed.ru
    • ssllabs.com

The relevance of using HSTS

Header preloading certainly significantly improves the security of the site (or rather user data), but is this required for the average resource? Most probably not. However, this decision will be justified if any transactions are made on the site, personal information of users is transmitted, etc.

If it was decided to include HSTS on the site, then it is recommended to first set the minimum possible header validity period (max-age), this will allow you to quickly correct errors (talking about the inaccessibility of pages via HTTPS) with minimal consequences.

If we talk about SEO-promotion, then the presence of HSTS on the site can positively affect the ranking of the site. This is achieved indirectly due to the fact that the speed of loading pages is reduced – the server does not need to redirect from HTTP to HTTPS, the second version of the protocol is loaded immediately.

# seo
# Web development

Leave a Reply

Your email address will not be published.