You may have made sure that your websites have SSL enabled, and the pretty security padlock in your browser is green. However, you may have forgotten about HTTP’s little security man, HTTP Strict Transport Security (HSTS).
What is HSTS, and how can it help keep your site secure?
What Is HTTPS?
Hyper Text Transfer Protocol Secure (HTTPS) is a secured version of a website (HTTP).The encryption is enabled using the Secure Sockets Layer (SSL) protocol and is validated with an SSL certificate. When you connect to an HTTPS website, the information transferred between the website and the user is encrypted.
This encryption helps protect you against data theft through Man-in-the-Middle-Attacks (MITM). The added layer of security also slightly helps improve the reputation of your website Demystify SEO: 5 Search Engine Optimization Guides That Help You Begin Demystify SEO: 5 Search Engine Optimization Guides That Help You Begin Search engine mastery takes knowledge, experience, and lots of trial and error. You can begin learning the fundamentals and avoid common SEO mistakes easily with the help of many SEO guides available on the Web. Read More . In fact, adding an SSL certificate is so easy, that many web hosts will add it to your site by default, for free! That said, HTTPS still has some flaws that HSTS can help fix.
What Is HSTS?HSTS is a response header that informs a browser that enabled websites can only be accessed via HTTPS. This forces your browser to only being able to access the HTTPS version of the website and any resources on it.
You may not be aware that even though you have set up your SSL certificate correctly and enabled HTTPS for your website, that the HTTP version is still available. This is true even if you have set up forwarding using 301 Permanent Redirection.
Although the HSTS policy has been around for a little while, it was only formally rolled out by Google in July 2016. Which may be why you haven’t heard of it much yet.
Enabling HSTS will stop SSL protocol attacks andcookie hijacking, What's A Cookie & What Does It Have To Do With My Privacy? [MakeUseOf Explains] What's A Cookie & What Does It Have To Do With My Privacy? [MakeUseOf Explains] Most people know that there are cookies scattered all over the Internet, ready and willing to be eaten up by whoever can find them first. Wait, what? That can’t be right. Yes, there are cookies... Read More two additional vulnerabilities in SSL-enabled websites. And in addition to making a website more secure, HSTS will make sites load quicker by removing a step in the loading procedure. What Is SSL Stripping?Although HTTPS is a huge improvement from HTTP, it’s not invulnerable to being hacked. SSL stripping is a very common MITM hack for websites that uses redirection to send users from an HTTP to the HTTPS version of their website.
301 (permanent) and 302 (temporary) redirect basically works like this:
A user types google.com in their browser’s address bar. The browser initially tries to load http://google.com as the default. “Google.com” is set up with a 301 permanent redirect to https://google.com . The browser sees the redirect and loads https://google.com instead.With SSL stripping, the hacker can use the time between step 3 and step 4 to block the redirect request and stop the browser from loading the secure (HTTPS) version of the website. As you are then accessing an unencrypted version of the website, any data you enter can be stolen.
The hacker can also redirect you to a copy of the website you are trying to access, and capture all of your data as you enter it, even if it looks secure.
Google has implemented steps in Chrome to stop some types of redirection. However, enabling HSTS should be something you do by default for all of your websites from now on.
How DoesEnabling HSTS Stop SSL Stripping?Enabling HSTS forces the browser to load the secure version of a website, and ignores any redirect and any other call to open an HTTP connection. This closes the redirection vulnerability that exists with a 301 and 302 redirect.
There is a negative side even to HSTS, and that is that a user’s browser has to see the HSTS header at least once before it can take advantage of it for future visits. This means that they will have to go through the HTTP > HTTPS process at least once, leaving them vulnerable the first time they visit an HSTS-enabled website.
To combat this, Chrome preloads a list of websites that have HSTS enabled. Users can submit HSTS-enabled websites to the preload list themselves if they fit the required (simple) criteria.
Websites added to this list will be hardcoded into future versions of Chrome updates. It makes sure that everyone who visits your HSTS enabled websites in updated versions of Chrome will stay secure.
Firefox, Opera, Safari and Internet Explorer have their own HSTS preload list, but they are based on the Chrome list on hstspreload.org .
How to Enable HSTS on Your WebsiteTo enable HSTS on your website you first need to have a validSSL certificate 7 Reasons Your Site Needs an SSL Certificate 7 Reasons Your Site Needs an SSL Certificate It doesn't matter if you're developing a modest blog or a full e-commerce site: you need an SSL certificate. Here are some practical reasons why. Read More . If you enable HSTS without one, your site will be unavailable to any visitor, so make sure your website and any subdomains are working over HTTPS before continuing.
Enabling HSTS is pretty easy. You simply need to add a header to the .htaccess file on your site. The header you need to add is:
Strict-Transport-Security: max-age=31536000; includeSubDomains This adds a one year max age access cookie (what is a cookie?
