This recipe simplifies the configuration and deployment of HTTP Strict Transport Security (HSTS) on your website. HSTS is a crucial security feature that instructs browsers to only connect to your site over secure, encrypted connections. By installing this recipe, website owners can enhance their website's security, protect against certain types of cyberattacks, and establish a more trustworthy online presence.
If your website is available over https (which should obviously be the case nowadays), then enabling HSTS instructs browsers to always use HTTPS, and prevent the use of plain HTTP, even if a user clicks on a http link. In other words, HSTS is a great security feature to make sure that your visitors will not contact your website using a non secured protocol.
Why install HSTS on your website?
In fact, HSTS should be enabled on all websites that have a SSL certificate. It offers many advantages:
- Improved security: HSTS ensures that all communication between the user's browser and the website occurs over secure HTTPS connections, reducing the risk of man-in-the-middle attacks.
- Higher user trust: By enforcing secure connections, HSTS builds trust among visitors, assuring them that their interactions with the website are protected from potential security threats.
- SEO benefits: Google and other search engines prioritize secure websites. Implementing HSTS can positively impact search engine rankings, contributing to better visibility and credibility.
How does it work?
Using this recipe provides a simple way to configure and deploy HSTS on your website. The recipe creates a redirection.io rule that defines the value of the Strict-Transport-Security
header, which is sent to the user's browser. This header instructs the browser to only access the website through secure HTTPS connections for the specified duration. The recipe also provides the option to add your domain to the HSTS preload list, which ensures that browsers automatically enforce HSTS without initial visits.
Easy configuration: Using this recipe simplifies the process of configuring the Strict-Transport-Security
header, allowing users to define parameters such as the "max-age" value. There's no need to edit the server configuration files!
Browser compliance: Once configured, the HSTS header is sent to the user's browser, instructing it to access the website only through secure HTTPS connections for the specified duration.
Preload list inclusion: Users have the option to add their domain to the HSTS preload list, which ensures that browsers automatically enforce HSTS without initial visits, further enhancing security.
Best practices
Some best practices can be followed when configuring HSTS:
- Set an appropriate
max-age
: Choose a reasonable "max-age
" value, based on your website's needs. This value determines the duration browsers will enforce HSTS. Consider a value of at least one year or more. If you are adding HSTS to an existing website, consider a shorter duration to avoid potential issues, and progressively grow this value over time. - Include subdomains (optional): If your website uses subdomains, decide whether to include them in the HSTS policy. This ensures a consistent security posture across all subdomains. Take care that including subdomains will prevent accessing to all the subdomains using HTTP connections or invalid certificates! If an internal application uses a self-signed certificate, then it will become inaccessible.
- Preload list addition (optional): Adding your domain to the HSTS preload list is recommended for long-term security. This list is used by browsers to automatically enforce HSTS, even on the first visit. However, this process is difficult to reverse and can cause issues if not done correctly. Ensure that your website and all its subdomains (including subdomains for internal use only) is fully compliant with HSTS before adding it to the preload list.
Read more about HSTS
How to install this recipe on my website with redirection.io?
Installing this recipe on your website requires the following steps:
- Define the
Max-Age
value: specify the desiredmax-age
value, determining how long browsers should enforce HSTS. - Choose subdomains inclusion (optional): indicate whether to include subdomains in the HSTS policy, ensuring a uniform security standard across all your subdomains.
- Add to the preload list (optional): opt to add your domain to the HSTS preload list, enabling browsers to enforce HSTS without prior visits.
- Click on the "Install on my website" button: install teh recipe - this will create the redirection.io rule for defining the
HSTS
header in "draft" mode - Review & publish on your website: edit the new rule if necessary, then publish the rules.
HSTS should be enabled on your website within seconds after this.