The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
What is HSTS.pdf
1. What is HSTS & How to
Implement on your
website?
Keeping your website data is probably the most important thing,
and believe me, you can’t be sure of the security with just a 301
redirect while switching from HTTP to HTTPS. The 301 redirect
still leaves a tiny window of opportunity for hackers to get inside
your home and steal your most valuable possession, the data of
your website.
That’s enough about the problem; let’s talk about the solution!
HSTS, an added level of security to your website.
But what is it really?
Also Read: How to Redirect HTTP to HTTPS in htaccess?
What is HSTS?
HSTS stands for HTTP Strict Transport Security. It is a web
server directive; In simple terms, it is a web security
policy mechanism that only enables secure connections to
access your website.
HTTPS is a secure protocol, but there is one flaw that makes it
less secure and puts your website data in danger, it is not on by
default. So, in the middle of a user not using HTTPS and you
telling them to do so, a hacker can hijack the user’s connection.
It is as bad as it sounds.
So how can an HSTS prevent this from happening?
Normally the sequence of events occurs in this pattern. A user
will want to access your website, and his connection will request
your server for access to the site. The server, being a gentleman,
will send a 301 Moved Permanently response to the browser to
tell it to redirect the HTTP address to HTTPS.
2. Now, the user has access to your website, so he’s happily
browsing. The problem occurs when a hacker controls the user’s
connection and can easily block the 301 response and hijack the
browsing session.
HSTS does a simple thing; with the 301 redirect request, it also
tells the browser to redirect itself to HTTPS before
responding. So, our protagonist, HSTS, saves the day by
enabling HTTPS site-wide. Now, no one can access your website
without a secure connection, and the antagonist, the Hacker, will
sit around grinding his teeth in frustration.
Another important term regarding HSTS is Preloading, but what
is it?
The preload works as a melee weapon for HSTS to secure your
website. The HSTS has one major flaw; it doesn’t work for the
very first connection a user
makes. If a user is browsing your website for the first time, there
is still a chance of hijacking and all the bad stuff we talked about
earlier. The preload prevents just that.
HSTS preloading is a Chromium project initiative. In this, the
Chromium project maintains and built-ins a list of all the HSTS-
enabled websites. When a new user browses the website, the
preload makes the connection act as if they’ve already seen the
HSTS header, securing the website completely.
You have to get your website listed in the preload list.
The obvious question now is:
How to set up HSTS?
HTTP Strict Transport Security has some requirements before it
can provide its services. They are:
1. A Valid SSL certificate.
2. Redirection of all HTTP links to HTTPS with a 301
Permanent Redirect.
3. An SSL certificate coverage of all your subdomains.
4. The Preload directive must be specified.
5. The Max-age is 31536000 seconds.
6. The includeSubDomains directive must be specified if you
have them.
3. Also Read: How to Install SSL on WordPress
To Turn on HSTS, you can simply add a header to all responses
of your server:
Strict-Transport-Security: max-age=300; includeSubDomains;
preload
To Install HSTS in Apache Web Server
Simply add this to your .htaccess file:
Use HTTP Strict Transport Security to force the client to use
secure connections only Header always set Strict-Transport-
Security “max-age=300; includeSubDomains; preload”
Also Read: How To Install CentOS Web Panel In CentOS
To Install HSTS in lighttpd
Simply add this to your Lighttpd configuration
file/etc/lighttpd/lighttpd.conf
server.modules += (“mod_setenv”) $HTTP[“scheme”] == “https”
{setenv.add response-header = (“Strict-Transport-Security” =>
“max-age=300; includeSubDomains; preload”)}
To Install HSTS in NGINX
Add this to your site.conf file:
add_header Strict-Transport-Security ‘max-age=300;
includeSubDomains; preload; always;’
Also Read: NGINX Explained! Know its Working & What is
it Used For?
4. To Install HSTS in IIS Servers
protected void Application_BeginRequest(Object sender,
EventArgs e) {switch (Request.Url.Scheme) {case “https”:
Response.AddHeader(“Strict-Transport Security”, “max-
age=31536000; includeSubDomains; preload”); break;
case “https”: var path = “https://” + Request.Url.Host =
Request.Url.PathAndQuery; Response.Status = “301 Moved
Permanently”;
Response.AddHeader(“Location”, path); break; }}
Congratulations, you’ve successfully added another security to
your website!
Source
https://www.hostitsmart.com/manage/knowledgebase/246/What
-is-HSTS-and-How-to-Implement-on-your-website.html