Keeping your website data is probably the most important thing, and believe me, you can’t be sure of the security with just a 301 redirect while switching from HTTP to HTTPS. The 301 redirect still leaves a tiny window of opportunity for hackers to get inside your home and steal your most valuable possession, the data of your website.
That’s enough about the problem; let’s talk about the solution!
HSTS, an added level of security to your website.
But what is it really?
Also Read: How to Redirect HTTP to HTTPS in htaccess?
What is HSTS?
HSTS stands for HTTP Strict Transport Security. It is a web server directive; In simple terms, it is a web security policy mechanism that only enables secure connections to access your website.
HTTPS is a secure protocol, but there is one flaw that makes it less secure and puts your website data in danger, it is not on by default. So, in the middle of a user not using HTTPS and you telling them to do so, a hacker can hijack the user’s connection. It is as bad as it sounds.
So how can an HSTS prevent this from happening?
Normally the sequence of events occurs in this pattern. A user will want to access your website, and his connection will request your server for access to the site. The server, being a gentleman, will send a 301 Moved Permanently response to the browser to tell it to redirect the HTTP address to HTTPS.
Now, the user has access to your website, so he’s happily browsing. The problem occurs when a hacker controls the user’s connection and can easily block the 301 response and hijack the browsing session.
HSTS does a simple thing; with the 301 redirect request, it also tells the browser to redirect itself to HTTPS before responding. So, our protagonist, HSTS, saves the day by enabling HTTPS site-wide. Now, no one can access your website without a secure connection, and the antagonist, the Hacker, will sit around grinding his teeth in frustration.
Another important term regarding HSTS is Preloading, but what is it?
The preload works as a melee weapon for HSTS to secure your website. The HSTS has one major flaw; it doesn’t work for the very first connection a user
makes. If a user is browsing your website for the first time, there is still a chance of hijacking and all the bad stuff we talked about earlier. The preload prevents just that.
HSTS preloading is a Chromium project initiative. In this, the Chromium project maintains and built-ins a list of all the HSTS-enabled websites. When a new user browses the website, the preload makes the connection act as if they’ve already seen the HSTS header, securing the website completely.
You have to get your website listed in the preload list.
The obvious question now is:
How to set up HSTS?
HTTP Strict Transport Security has some requirements before it can provide its services. They are:
- A Valid SSL certificate.
- Redirection of all HTTP links to HTTPS with a 301 Permanent Redirect.
- An SSL certificate coverage of all your subdomains.
- The Preload directive must be specified.
- The Max-age is 31536000 seconds.
- The includeSubDomains directive must be specified if you have them.
Also Read: How to Install SSL on WordPress
To Turn on HSTS, you can simply add a header to all responses of your server:
Strict-Transport-Security: max-age=300; includeSubDomains; preload
To Install HSTS in Apache Web Server
Simply add this to your .htaccess file:
Use HTTP Strict Transport Security to force the client to use secure connections only Header always set Strict-Transport-Security “max-age=300; includeSubDomains; preload”
Also Read: How To Install CentOS Web Panel In CentOS
To Install HSTS in lighttpd
Simply add this to your Lighttpd configuration file/etc/lighttpd/lighttpd.conf
server.modules += (“mod_setenv”) $HTTP[“scheme”] == “https” {setenv.add response-header = (“Strict-Transport-Security” => “max-age=300; includeSubDomains; preload”)}
To Install HSTS in NGINX
Add this to your site.conf file:
add_header Strict-Transport-Security ‘max-age=300; includeSubDomains; preload; always;’
Also Read: NGINX Explained! Know its Working & What is it Used For?
To Install HSTS in IIS Servers
protected void Application_BeginRequest(Object sender, EventArgs e) {switch (Request.Url.Scheme) {case “https”: Response.AddHeader(“Strict-Transport Security”, “max-age=31536000; includeSubDomains; preload”); break; case “https”: var path = “https://” + Request.Url.Host = Request.Url.PathAndQuery; Response.Status = “301 Moved Permanently”;
Response.AddHeader(“Location”, path); break; }}
Congratulations, you’ve successfully added another security to your website!