|How-to||– 8 min read –||September 19, 2019|
What is HSTS and how to integrate this technology into your website
What is HSTS support
HSTS is an algorithm that encrypts the connection between the browser and the server. The use of HTTP Strict Transport Security header makes the connection secure for a defined period. The response header informs the browser that websites can only be accessed via HTTPS protocol.
The main purpose of HSTS is to secure the connection; still, there is a number of conditions that keep the client unsafe:
- reinstalling operating system;
- reinstalling the browser;
- visiting a certain site for the first time;
- using a different browser;
- connecting from a new device such as a tablet;
- expired HSTS period;
- clearing out cash.
Use of http protocol results in an insecure connection when first visit the site. Mostly, the redirection to a secure site version is carried out only after you once visited a certain web resource.
To sort it out, Google created Preload List. When a user wants to reach a certain site, the browser first searches the required address on the list and then connects the client to the server using a secure protocol. You can submit your site to the preload list by sending a request:
Getting your site excluded from Preload List is quite complicated. If you decide that your website should not be included in the list anymore, all you need to do is submit a request. However, it takes more than three months for Chrome and even more for other browsers to get the answer.
Besides, your site will be inaccessible for users while pending the answer. Therefore, it is strongly recommended to think over your final decision before adding the website to Preload List. You should act only if you are determined to use https on your website permanently.
With the functioning algorithm, the browser will only show the sites with enabled https protocol. In case a user enters a domain name starting with http in the address bar, the browser will carry out the transfer to https automatically. HSTS mechanism is intended to decrease the number of unencrypted connections and to minimize stealing cookies and personal data.
How to enable HSTS on your site
Ensure serving a valid SSL certificate and manual transfer setting for all web pages. You should not fully rely on automatic browser transfer.
Despite the existence of links that transfer to unsafe pages, insecure connection warnings may appear. All connections on the site should be profoundly checked before you connect your web resource to this mechanism.
Setting up HSTS in Apache
To activate transfer to secure pages, you need to imply the following command:
Having made all the changes, you need to restart the server. HSTS will start functioning as soon as the technology is integrated and the site is included into Preload List.
Setting up HSTS in Nginx
It is prohibited to apply two versions of the site - http and https - on the same server. All connections should be transferred strictly to https.
SSL Server Test service allows checking SSL certificate status and evaluating site security. "A" mark indicates a valid SSL certificate implementation; "A+" mark identifies the sites with enabled HSTS support.
HTTP Strict Transport Security header should be added to the configuration file of the server to make the browser establish a secure connection with your site. Make sure you reset the server after implementing the required changes. Set a minimal period while testing the header to check if it functions correctly.
It is highly recommended to use HSTS continually. In case the algorithm detects an expired SSL certificate or pages with an insecure connection, it will warn you by a message.
If your site has been included into Preload List which is actually a one-sided procedure, it may take quite a long time to get it removed.
|Run Site Audit|
Learn how to get the most out of Serpstat
Want to get a personal demo, trial period or bunch of successful use cases?
Send a request and our expert will contact you ;)
Cases, lifehacks, researches and useful articles
Don’t you have time to follow the news? No worries!
Our editor Stacy will choose articles that will definitely help you with your work. Join our cozy community :)