This site uses cookies and other tracking technologies to make possible your usage of the website, assist with navigation and your ability to provide feedback, analyse your use of our products and services, assist with our promotional and marketing efforts, and provide better user experience.

By using the website, you agree to our Privacy policy

Accept and continue

Report a bug

Cancel
79
How-to 8 min read September 19, 2019

What is HSTS and how to integrate this technology into your website

HSTS technology should be implied only in case you secure correct https-protocol functioning on all the pages of your site. You can apply HTTP Strict Transport Security heading or add HSTS function in your hosting account to allow automatic transfer to safe connection.

What is HSTS support

Entering a domain name in the address bar of a browser without https protocol or in the format of "site.com", you are transported to an insecure version of the site. SSL certificate cannot secure the connection when you access a page for the first time. Online fraudsters use this weak point to get users' personal data and to transfer them to fake pages.

HSTS is an algorithm that encrypts the connection between the browser and the server. The use of HTTP Strict Transport Security header makes the connection secure for a defined period. The response header informs the browser that websites can only be accessed via HTTPS protocol.

The main purpose of HSTS is to secure the connection; still, there is a number of conditions that keep the client unsafe:

  • reinstalling operating system;
  • reinstalling the browser;
  • visiting a certain site for the first time;
  • using a different browser;
  • connecting from a new device such as a tablet;
  • expired HSTS period;
  • clearing out cash.

Use of http protocol results in an insecure connection when first visit the site. Mostly, the redirection to a secure site version is carried out only after you once visited a certain web resource.

To sort it out, Google created Preload List. When a user wants to reach a certain site, the browser first searches the required address on the list and then connects the client to the server using a secure protocol. You can submit your site to the preload list by sending a request:
HSTS Preload List Submission
Active HSTS technology will not allow reaching the site with an expired SSL certificate or in case the algorithm detected pages that cannot be accessed with a secure connection. There is no way a browser can avoid a connection that is encrypted with HSTS.

Getting your site excluded from Preload List is quite complicated. If you decide that your website should not be included in the list anymore, all you need to do is submit a request. However, it takes more than three months for Chrome and even more for other browsers to get the answer.

Besides, your site will be inaccessible for users while pending the answer. Therefore, it is strongly recommended to think over your final decision before adding the website to Preload List. You should act only if you are determined to use https on your website permanently.

With the functioning algorithm, the browser will only show the sites with enabled https protocol. In case a user enters a domain name starting with http in the address bar, the browser will carry out the transfer to https automatically. HSTS mechanism is intended to decrease the number of unencrypted connections and to minimize stealing cookies and personal data.

How to enable HSTS on your site

Some hosters provide an opportunity to add this option in the account settings. Otherwise, you need to add a correctly arranged header in the server setup. Header variants should be as follows:
1
Strict-Transport-Security: max-age=<expire-time> establishes a period secured by HSTS for a definite website starting from the first visit.
2
Strict-Transport-Security: max-age=<expire-time>; includeSubDomains defines a period of HSTS security covering the main domain as well as subdomains.
3
Strict-Transport-Security: max-age=<expire-time>; preload informs the browser about a period of HSTS security and including the site into Preload List.
Here is a basic header variant:
add_header Strict-Transport-Security "max-age=31536000;”
It means that the header functioning period is one year given by seconds. While testing the technology, it is advised that you indicate a small number after "max-age" parameter. In case any bugs appear, only a few users will happen to see the mistake. Thus, there is a chance for you to make corrections and to track website visits with active HSTS header.

Ensure serving a valid SSL certificate and manual transfer setting for all web pages. You should not fully rely on automatic browser transfer.

Despite the existence of links that transfer to unsafe pages, insecure connection warnings may appear. All connections on the site should be profoundly checked before you connect your web resource to this mechanism.

Setting up HSTS in Apache

In a server configuration file, enter the following data:
<VirtualHost 67.89.123.45:443>
  Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;"
</VirtualHost>
The indicated period of header validity will be updated as you visit of the site. In the example above the set validity period is one year that makes 31536000 seconds.

To activate transfer to secure pages, you need to imply the following command:
<VirtualHost *:80>
  [...]
  ServerName site.com
  Redirect permanent / https://site.com/
</VirtualHost>
Replace site.com with a required domain name.

Having made all the changes, you need to restart the server. HSTS will start functioning as soon as the technology is integrated and the site is included into Preload List.

Setting up HSTS in Nginx

Add Strict Transport Security header with correctly arranged parameters to the configuration file /etc/nginx/conf.d which is included into the hosting panel. Make sure that your server supports HSTS technology.

It is prohibited to apply two versions of the site - http and https - on the same server. All connections should be transferred strictly to https.

SSL Server Test service allows checking SSL certificate status and evaluating site security. "A" mark indicates a valid SSL certificate implementation; "A+" mark identifies the sites with enabled HSTS support.
How to check site's security and HSTS online using SSL Server Test

Conclusion

HSTS algorithm integration should only be carried out upon a profound review of https-supported site connections.

HTTP Strict Transport Security header should be added to the configuration file of the server to make the browser establish a secure connection with your site. Make sure you reset the server after implementing the required changes. Set a minimal period while testing the header to check if it functions correctly.

It is highly recommended to use HSTS continually. In case the algorithm detects an expired SSL certificate or pages with an insecure connection, it will warn you by a message.

If your site has been included into Preload List which is actually a one-sided procedure, it may take quite a long time to get it removed.
This article is a part of Serpstat's "Site Audit" tool
SEO Audit in Serpstat
Audit all the site or page in one click. A complete list of errors, sorted by severity, ways to resolve them and recommendations. Any frequency of verification and automatic email reports.
Run Site Audit

Learn how to get the most out of Serpstat

Want to get a personal demo, trial period or bunch of successful use cases?

Send a request and our expert will contact you ;)

Rate the article on a five-point scale

The article has already been rated by 0 people on average out of 5
Found an error? Select it and press Ctrl + Enter to tell us

Share this article with your friends

Sign In Free Sign Up

You’ve reached your query limit.

Or email
Forgot password?
Or email
Back To Login

Don’t worry! Just fill in your email and we’ll send over your password.

Are you sure?

Awesome!

To complete your registration you need to enter your phone number

Back

We sent confirmation code to your phone number

Your phone Resend code Queries left

Something went wrong.

Contact our support team
Or confirm the registration using the Telegram bot Follow this link
Please pick the project to work on

Personal demonstration

Serpstat is all about saving time, and we want to save yours! One of our specialists will contact you and discuss options going forward.

These may include a personal demonstration, a trial period, comprehensive training articles & webinar recordings, and custom advice from a Serpstat specialist. It is our goal to make you feel comfortable while using Serpstat.

Name

Email

Phone

We are glad of your comment
Upgrade your plan

Upgrade your plan

Export is not available for your account. Please upgrade to Lite or higher to get access to the tool. Learn more

Sign Up Free

Спасибо, мы с вами свяжемся в ближайшее время

Invite
View Editing

E-mail
Message
Optional
E-mail
Message
Optional

You have run out of limits

You have reached the limit for the number of created projects. You cannot create new projects unless you increase the limits or delete existing projects.

I want more limits