Ensuring the security of your website is highly important, especially when it comes to keeping it away from threats and hackers. There are different ways through which you can secure your website. The first common way is through an SSL certificate.
If your website runs over HTTPS, then one of the security enhancements which is recommended is the HSTS security header.
In this guide, we’ll get to know all about the HSTS.
About HSTS (HTTP Strict Transport Security)
HSTS basically stands for HTTP Strict Transport Security. It is basically a response header that forces the browser to use secure connections when a site is running over HTTPS. The Strict Transport Security response header directs the browsers to use HTTPS to access a website and avoid using HTTP for any connection.
It is a security header wherein you add to your web server and is reflected in the response header as Strict Transport Security.
By avoiding redirections from HTTP to HTTPS, HSTS reduces the chances of man-in-the-middle-attacks. Even if a visitor is trying to access a website over HTTP, HSTS commands the browser to use HTTPS for interaction.
Also, HSTS is important as it resolves the following issues:
- If there is any attempt by a visitor to use the unsecured version (HTTP://) of a page on your website will be forwarded automatically to the secure version (HTTPS://)
- It does not allow for the overriding of the invalid message certificate which in turn protects the visitor.
Related: Significance Of Web Hosting Security
Benefits of HSTS:
There are a lot of benefits of having HSTS. They are as follows:
- Reduces the risk of information getting unencrypted.
- Improves the data integrity.
- Helps to prevent man-in-the-middle attacks (MitM) and cookie hijacking. This is because your website’s encryption certificate is validated by the end user’s browser.
Knowing About the HSTS Preload List:
The HSTS preload list is an initiative by the two names, Mozilla Firefox and Google Chrome, to solve the issue of untrusted visits of users.
The benefit of the preload list is that your web browser already has the HSTS header before connecting to the website for the very first time. It’s easy to get added to the list of HSTS preloaded list. It’s only a single line of code (that includes the word “preload”) that goes beside the HSTS header.
After this is added, go to Google’s sign-up page and add yourself to the list. The HSTS preload list is updated each time a new version of the browser is released.
HSTS Supports Which Browsers?
HSTS supports the below browsers:
- Google Chrome version since version 4.0.211.0
- Opera since version 12
- Firefox since version 4, Firefox 17. Mozilla integrates with a list of websites supporting HSTS
How to Enable HSTS in Apache?
This is how you can enable HSTS in Apache:
First, to enable HSTS, you need to enable the mod_headers. Run the command:
a2enmod headers
In the configuration of your Apache site, add the following command inside every Virtual Host. Also, look for
<VirtualHost *:443> Header always set Strict-Transport-Security “max-age=15552000; includeSubdomains”
How to Enable HSTS in Ngnix?
In your Ngnix site configuration, add the following to each SSL server block:
add_header Strict-Transport-Security “max-age=15552000; includeSubDomains”
And that’s all about HSTS!
Conclusion
It’s recommended to set up HSTS on your website. It keeps both your customer’s data and your own security. Also helps to rank better on search engines.
