To ensure a high level of security for the user’s connection to the site server, it is recommended to use such technology as HSTS. What is it for and how to activate it on your website, we will talk below.
Direct Line
Who are we
Largest agency Internet marketing outside the Moscow Ring Road:
1200+projects
65specialists
fourteenyears on the market
TOP 10 the best online promotion companies in Russia 2020
Commercial offer
What is HSTS?
Several years ago, webmasters began to install SSL certificates on their resources in order to increase the level of safety of user data. However, if you understand the technology, then it may not be enough for maximum security. The thing is that the user, entering the domain address in the browser line, first gets to the unprotected version of the site, and after that he is redirected to the version with the HTTPS protocol. This server operating principle allows attackers to gain access to user data in a variety of ways. The HSTS technology can solve this problem.
The essence of its work lies in the fact that the browser receives a protected HTTP Strict Transport Security header, and this can happen even on the user’s first visit to the resource (if the domain is added to the Preload List). This header tells the browser to enable a secure HTTPS connection, i.e. only this version of the connection becomes available, and unsecured HTTP is no longer served. In other words, it will no longer be possible to intercept a browser request at the time of a redirect from HTTP to HTTPS.
An interesting point, if the HSTS mechanism is activated, then if there are pages on the site that work using an unprotected protocol, access to them will automatically be closed. The same situation will arise if the SSL certificate has expired.
How to implement HSTS?
On the first visit to the site, the user gets an unsecured connection even when using HSTS. To get the most out of the implementation of this mechanism, you need to add the domain to a special Preload List – a list of sites created by Google. This listing is supported by most browsers, and to check if a site is in this list, you can use one of the specialized services (for example, ssllabs.com). The Preload List lists domains that use the HSTS header mechanism with the maximum expiration date set and the preload flag.
But before adding a domain to the listing, you need to understand that after that, the site will no longer be accessible via the HTTP protocol in principle – only a connection via HTTPS will be possible. Therefore, you need to be sure that you plan to permanently use the SSL certificate, while not forgetting to renew it in time.
Installing the certificate
The first step towards activating HSTS technology will be the correct installation of the SSL certificate. Most of the leading hosting providers provide this service. We will not focus on the principles of choosing a certificate, let’s just say that, as a rule, they are purchased for one year, then extended (or reissued).
After installation, it is important to check the operation of the settings – there should be an automatic redirection from the HTTP protocol to HTTPS, if everything is in order, let’s move on.
Configuring HSTS
There are two options here: activating the mechanism through the capabilities of the hosting provider’s personal account. In this case, everything is pretty simple. And the second is manual server configuration, let’s talk about it below.
You must first select a title option:
Strict-Transport-Security: max-age = – defines the duration of HSTS for the specified domain.
Strict-Transport-Security: max-age = ; includeSubDomains – also defines the validity period, but the action applies not only to the domain, but also to its subdomains.
Strict-Transport-Security: max-age = ; preload – in addition to defining HSTS expiration dates, it indicates to the user’s browser that this domain is in the Preload List.
Header directives:
max-age – present in any title option and is required. Tells the user’s browser how long to store the connection type in seconds. Typically, the retention periods are 31536000 and 63072000 (1 and 2 years, respectively). You can also set the value to 0, in which case the browser will reset the connection information every time the user visits.
Includesubdomains – if the domain contains subdomains, then this directive is set in the header. To ensure a high level of connection security, it is recommended to link each subdomain to the main one.
Preload – This directive indicates that the site supports HSTS preloading and is added to the Preload List.
This header conveys the following information to the browser: the header is valid for 1 year (31536000 seconds), the domain has been added to the listing base. If during this period the SSL certificate ceases to be valid on the site, the browser will automatically terminate the connection.
Apache configuration
If the server runs on Apache, then to activate HSTS, you need to add the following parameters to its configuration file:
<VirtualHost 67.89.123.45:443>
Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;"
</VirtualHost>
In this case, the validity period is 1 year, the title itself will be updated every time you visit the resource. At the same time, to redirect to pages using the HTTPS protocol, you should add the parameter (domain.com is your domain):
Similarly, by adding additional parameters to the configuration file, which, as a rule, is located along the path “/etc/nginx/conf.d”. The parameters are a pre-written title from the options listed above.
Ngnx allows you to use only the option with a secure or unsecured connection on one server. Simultaneous support for these protocols is not supported.
Adding to Preload List
This is an optional step, but if you plan to constantly use an SSL certificate on the site, then to ensure the most secure connection, it is recommended to add the domain to the listing. It was already mentioned above that after adding a site there, all modern browsers will stop opening unprotected pages. If you need to disable HSTS, it will take at least several months of waiting to remove the domain from the listing. Therefore, before adding, it is worth considering all the nuances.
So, the algorithm of actions:
Install a valid SSL certificate on the server.
The redirect from HTTP to HTTPS should work correctly, all redirects should be checked. Remember, if any page is not accessible via HTTPS, after adding to the listing, it will be inaccessible in principle.
Configure the server to transmit the Strict Transport Security header.
Online https://hstspreload.org get acquainted with the information, and the addition takes place in a special form.
HSTS check
After setting up HSTS, its operation must be checked for errors. This can be done in the following ways:
On the Apache side using CURL (where domain.com is the name of the checked domain):
Header preloading certainly significantly improves the security of the site (or rather user data), but is this required for the average resource? Most probably not. However, this decision will be justified if any transactions are made on the site, personal information of users is transmitted, etc.
If it was decided to include HSTS on the site, then it is recommended to first set the minimum possible header validity period (max-age), this will allow you to quickly correct errors (talking about the inaccessibility of pages via HTTPS) with minimal consequences.
If we talk about SEO-promotion, then the presence of HSTS on the site can positively affect the ranking of the site. This is achieved indirectly due to the fact that the speed of loading pages is reduced – the server does not need to redirect from HTTP to HTTPS, the second version of the protocol is loaded immediately.
In the last article, we looked at WordPress, Joomla, Bitrix and DLE systems. Now let’s move on to the...
Read More
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
Cookie
Duration
Description
cookielawinfo-checbox-analytics
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional
11 months
The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy
11 months
The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.