Secure your site and speed up loading with HSTS

Back to Blog

Secure your site and speed up loading with HSTS

What on earth is HSTS?

HTTP Strict Transport Security (also known as HSTS) is a powerful mechanism to increase the security of your website.

This technology provides a method by which websites announce that they may only be accessed using a secure connection (HTTPS). If a website has an HSTS policy, the browser must refuse all HTTP (non- secure) connections and prevent visitors from accepting insecure SSL certificates. HSTS is currently supported by most major browsers, see the compatibility list to see which are supported.

Why Should I Use it?

Implementing HSTS into your website can significantly reduce the likelihood of some cybersecurity issues such as man-in-the-middle attacks, protocol downgrade attacks & cookie hijacking all which use SSL stripping. SSL stripping is a technique where an attacker forces the browser to connect to a site using HTTP so that they can sniff packets and intercept or modify sensitive information.

OK, I’m convinced. How do I implement it?

First you should ensure that:-

  1. You have a valid SSL Certificate installed
  2. There is a redirect from HTTP to HTTPS with 301 Redirection on the same host, if you are using port 80.
  3. Have HTTPS for all subdomains.
  4. In particular, you must support HTTPS for the www subdomain if a DNS record for that subdomain exists.

Now you simply add the following line to the top of your .htaccess file

# Enable HSTS on WordPress blog
<IfModule mod_headers.c>
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
</IfModule>
  • “max-age” is to define how long the website will be accessible only from the HTTPS.
  • “includeSubDomains” is to make certain that whether the subdomains of the website should be included for HSTS or not.

NOTE:

  1. If you can’t see your .htaccess file either via your hosting panel or FTP then the file is hidden and you will need to use the “show hidden files” setting.
  2. Please, please, please make a backup of your .htaccess file before editing it.  This wee file is very powerful and getting something wrong here can result in your website being completely inaccessible.

How can I speed up these requests?

There is a cool trick to make HTTPS requests faster. It works with every webserver, browser and device.

Google maintains an HSTS preload service. By following the guidelines above and successfully submitting your domain, browsers will never connect to your domain using an insecure connection. While the service is hosted by Google, all browsers have stated an intent to use (or actually started using) the preload list.

So one you’ve gone though the above steps visit https://hstspreload.org/ , enter domain name (not www.domain.com or https://domain.com, only domain.com) and add your domain to HSTS preload list. It can take some time until your domain is added to the list.

If you need assistance setting this up on your please feel free to contact me and I’ll give you a helping hand!

Share this post

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to Blog