The "HSTS - HTTP Strict Transport Security" recipe simplifies the configuration and deployment of HTTP Strict Transport Security (HSTS) on your website. HSTS is a crucial security feature that instructs browsers to only connect to your site over secure, encrypted connections. By installing this recipe, website owners can enhance their website's security, protect against certain types of cyberattacks, and establish a more trustworthy online presence.

Why install HSTS on your website?

Heightened Security: HSTS ensures that all communication between the user's browser and the website occurs over secure HTTPS connections, reducing the risk of man-in-the-middle attacks.

Improved User Trust: By enforcing secure connections, HSTS builds trust among visitors, assuring them that their interactions with the website are protected from potential security threats.

SEO Benefits: Google and other search engines prioritize secure websites. Implementing HSTS can positively impact search engine rankings, contributing to better visibility and credibility.

How does it work?

Using this recipe provides a simple way to configure and deploy HSTS on your website. The recipe creates a rule that defines the Strict-Transport-Security header, which is sent to the user's browser. This header instructs the browser to only access the website through secure HTTPS connections for the specified duration. The recipe also provides the option to add your domain to the HSTS preload list, which ensures that browsers automatically enforce HSTS without initial visits.

Configuration Ease: Using this recipe simplifies the process of configuring the Strict-Transport-Security header, allowing users to define parameters such as the "max-age" value.

Browser Compliance: Once configured, the HSTS header is sent to the user's browser, instructing it to access the website only through secure HTTPS connections for the specified duration.

Preload List Inclusion: Users have the option to add their domain to the HSTS preload list, which ensures that browsers automatically enforce HSTS without initial visits, further enhancing security.

Best practices

Set an Appropriate Max-Age: Choose a reasonable "max-age" value based on your website's needs. This value determines the duration browsers will enforce HSTS. Consider a value of at least one year or more. If you are adding HSTS to an existing website, consider a shorter duration to avoid potential issues, and progressively grow this value over time.

Include Subdomains (Optional): If your website uses subdomains, decide whether to include them in the HSTS policy. This ensures a consistent security posture across all subdomains.

Preload List Addition (Optional): Adding your domain to the HSTS preload list is recommended for long-term security. This list is used by browsers to automatically enforce HSTS, even on the first visit. However, this process is difficult to reverse and can cause issues if not done correctly. Ensure that your website and all its subdomains (including subdomains for internal use only) is fully compliant with HSTS before adding it to the preload list.

Read more about HSTS

How to install this recipe on my website with

Installing this recipe on your website requires the following steps:

  1. Define the Max-Age value: in the form below, specify the desired max-age value, determining how long browsers should enforce HSTS.
  2. Choose subdomains inclusion (Optional): Indicate whether to include subdomains in the HSTS policy, ensuring a uniform security standard across all your subdomains.
  3. Add to the preload list (Optional): Opt to add your domain to the HSTS preload list, enabling browsers to enforce HSTS without prior visits.
  4. Click on the "Install on my website" button: Execute the installation by clicking the "Install on my website" button. This will create the rule for defining the HSTS header, for enhanced security.
  5. Review the created rule: Confirm that the rule accurately reflect your configuration, ensuring the proper deployment of HSTS on your website.
  6. Publish on Your Website: Finalize the installation by publishing the rule on your website. The "HSTS - HTTP Strict Transport Security" recipe ensures a more secure and reliable web presence with minimal effort.