A word or two about HSTS
HTTP Strict Transport Security, in short HSTS, is a protocol adopted by websites to ensure they are only accessed via a secure HTTPS connection. When you implement HSTS to your website, it instructs browsers to reject any HTTP connection and disallow users from accepting insecure SSL certificates. Most of the leading browsers support HSTS.
A bit of a “real world” example: picture a group of penguins throwing a fancy party where the dress code strictly requires a bow tie (HTTPS). HSTS is like the penguin bouncer who makes sure no penguin gets in without a bow tie, turning away any penguin trying to enter in just their regular feathers (HTTP).
Why Implementing HSTS Matters
Nowadays, cybersecurity is more important than ever, and applying HTTP Strict Transport Security (HSTS) is a key step to increase online safety. Here are some main reasons why HSTS is important for your website:
- HSTS secures data by enforcing HTTPS, making it tough for attackers to intercept your website’s data.
- It stops attackers from switching users from secure HTTPS to less secure HTTP.
- HSTS can secure not just your main site but all subdomains too, amplifying your site’s security.
- It cuts down website load times by removing the need for HTTP to HTTPS redirects.
- HSTS can improve your site’s Search Engine Optimization ranking. I saw my SEO score jump from A to A+ just by adding HSTS to my configuration!
HSTS is fundamental for your website’s security, enhancing data protection, user trust, SEO, and overall performance. Let’s dive into how you can implement it on your server!
Implementing HSTS on your website
Whether you use Apache or Nginx as your web server. The implementation does not differ a lot, so let’s dive right into it! Also, before making any changes, make sure to back up your configuration file.
To begin, let’s locate your Apache configuration file, you will find it either in /etc/apache2 or /etc/httpd directory. It kind of depends on the operating system or your Apache setup. The configuration file also depends on previously mentioned factors. You will find your configuration file under names such as httpd.conf, apache2.conf, or ssl.conf.
Next, before making any changes, make sure that the headers module is enabled. You can do it with the following terminal commands, but if you see a message that the module is already enabled, feel free to proceed to the next step. Here is how you can enable the headers module for Debian-based systems like Ubuntu:
sudo a2enmod headers
service apache2 restart
Following this, once you are done with it, you can now open the Apache configuration file, locate <VirtualHost *:443> block, and nest the following line within the block:
Header always set Strict-Transport-Security “max-age=31536000; includeSubDomains”
This line instructs browsers to access your website exclusively via HTTPS for the next year, as specified by the max-age directive. Keep in mind that includeSubDomains is optional, but you can keep it like that even if your website does not have any subdomains.
Finally, after adding the HSTS line to a configuration file, you can restart your Apache web server by executing these commands:
service httpd restart or service apache2 restart
As for Apache, the location for the Nginx configuration file may also vary depending on OS and your setup. So you can search for it in /etc/nginx/ directory. The Nginx configuration file is typically named nginx.conf, but you should also search for your site configuration file in /etc/nginx/sites-available/. That is usually symlinked to your active site configuration directory which is /etc/nginx/sites-enabled/. The configuration file might also be named after your domain, for example, mywebsite.conf.
Once the configuration file is located, open it with a text editor of choice(vi or nano would be just fine).
Add the HSTS header inside the SSL server block (usually under listen 443 ssl block):
add_header Strict-Transport-Security "max-age=31536000;includeSubDomains; preload" always;
After you save this change, feel free to restart your Nginx web server:
service nginx restart
systemctl restart nginx
Checking if HSTS is enabled
A simple way to make sure the implementation was successful is to test it via the SSL Server Test (Powered by Qualys SSL Labs) or just hit your domain with this curl command:
curl -I https://bluegrid.io
strict-transport-security: max-age=31536000; includeSubDomains
You can also add your domain to the HSTS preload list registrar. All you need to do is visit this page HSTS Preload List Submission and input your domain there.
The main benefit is, that when you submit domains for inclusion in Chrome’s HTTP Strict Transport Security (HSTS) preload list, your domain will be on a list of sites that are hardcoded into Chrome as being HTTPS only. Most major browsers (Chrome, Firefox, Opera, Safari, IE 11, and Edge) also have HSTS preload lists based on the Chrome list.
Keep in mind that, when you change your mind and you do not wish to have your website preloaded, it might take some time to revert those changes. According to the HSTS Preload List Submission documentation, it might take up to several months for a change to reach the users so you should only do this if you are pretty sure that you only want HTTPS requests towards your website.
Adding HTTP Strict Transport Security (HSTS) to your web server is a crucial step for better security. It makes your site use HTTPS, protecting user data and preventing attacks. Be careful when setting it up, especially with settings and subdomains, to avoid access problems. This will make your server safer and build trust with your users.