This article will show you how to make your website follow the HTTP Strict Transport Security (HSTS) policy. You will also find out what HSTS is and why it is important to have the HSTS policy turned on.

One safety measure that should be taken after deploying the SSL Certificate and forcing HTTPS redirection is to turn on the HSTS policy. A rule needs to be added to the.htaccess file of your web application in order for the HSTS policy to work.

What is HTTP Strict Transport Security (HSTS)?

HTTP Strict Transport Security (HSTS) is a policy and directive for web servers that was made public by Google in July 2016. Sites use this method to tell user agents and web browsers how to handle a connection by sending a response header at the start of the connection and then sending it back to the browser.

This sets the field parameter for the Strict Transport Security policy. When you do this, the website will only load on HTTPS. Any script calls that try to load your website content over HTTP will be ignored.

Why Enable HTTP Strict Transport Security (HSTS)?

If you turn on HSTS, SSL protocol attacks and cookie hijacking will not work anymore. It will also make websites load faster by cutting out a step in the process. It’s possible that you already know that HTTPS is much better than HTTP and can’t be hacked. Still, there is a very common way to hack websites that force HTTPS redirection to send visitors from an HTTP version of the website to an HTTPS version of the website. This is known as SSL Stripping and is a type of Man-In-The-Middle (MITM) attack.

To understand SSL Stripping, let’s look at how this 301 permanent redirect and this 302 temporary redirect work. As an example, we’ll use a fake website to show how the flow works.

  1. Someone types testwebsite.com into the address bar of their browser.
  2. As a default, the browser tries to load https://testwebsite.com/ at first.
  3. 301 permanent redirects are being used to send people to https://testwebsite.com/.
  4. When the browser sees the redirect, it loads https://testwebsite.com/ instead.

If you use SSL Stripping between steps 3 and 4, hackers can use that time to stop the request for redirection and stop the browser from loading the website over HTTPS.

Because of this, any data could be stolen if hackers get into a version of the website that isn’t encrypted or secured.

Also, even if the website you are trying to access looks safe, these hackers can send you to a copy of it and steal all of your information as you enter it.

As a result, if you turn on HSTS, your browser will have to load the secure version of a website instead of any HTTP requests or calls. With this, the redirection hole that a 301 and 302 redirect leave is closed.

How to Enable HTTP Strict Transport Security (HSTS) Policy

Here are some steps you can take to make the HSTS policy work and protect people who visit your website.

Tip

It is suggested that you make an on-demand backup of your web application before going any further. This way, you can always go back to a previous point if something goes wrong while the HSTS policy is being enabled.

Step# 1

Before you turn on the HSTS policy, you need to make sure that your website has an SSL Certificate and that HTTP to HTTPS redirection is set up. You can put in the following types of SSL Certificates:

— Free Let’s Encrypt SSL Certificate.

— Free Let’s Encrypt Wildcard SSL Certificate.

— Custom SSL Certificate.

Step# 2

Now you need to use SSH to connect to your server from afar so that you can get to your application’s.htaccess file.

There are two ways to connect to your server via SSH. Pick the one you like best from the list below. To learn how to connect to the server from afar, you can also click on the hyperlink text in the bullet points.

  • Using SSH Client.
  • Using the Cloudways Integrated SSH Terminal.

The Cloudways Integrated SSH Terminal was used in this case. After a successful connection, you’ll see a window like the one below:

Step# 3:

You need to now go to the exact directory where your webroot is. Where your.htaccess file is kept, in other words. It’s in the public_html directory by default, so type one of the commands below to get to that folder.

cd applications//public_html/

Important

There are angle brackets there to show where your input should go, so make sure you take them off. Your database name (DB name) is the same as the name of your app.

Step# 4

This is the last step, which is to add the HSTS rule to the.htaccess file. If you run the following command, the file will be ready to be edited.

vim .htaccess

To start editing, you need to press the “i” key after opening the file. After you press the key, you’ll see INSERT at the bottom of your screen.

Tip

To move the cursor, you have to use the arrow keys.

You should then copy this HSTS rule and paste it before the line that says # BEGIN WordPress.

Tip

Once you’ve copied the rule, press CTRL+SHIFT+V to paste it.

Header always set Strict-Transport-Security “max-age=31536000; includeSubDomains; preload” env=HTTPS

The maximum age for accessing your website’s root domain and any subdomains is set by this rule at one year. Once the browser has been to the website, it will not be able to go to the HTTP version of the website for a year. Please make sure that your SSL Certificate covers all subdomains and that HTTPS redirection is turned on. In the event that you fail to do so, your subdomains will not be accessible after you save the changes to the.htaccess file.

Important

Before you add the one-year max-age, test your whole website with a max-age of five minutes using maximum-age: 300;

This is the last step. Press the ESC key to leave editing mode. Type and run the following command to save the changes.

:wq!

Tip

You have to type this command and press the Enter key. You can’t copy and paste it.

Post Implementation Steps of HSTS

In order for all of your changes to take effect, you need to make sure you follow a few steps after editing the .htaccess file.

Step# 1
Clear the cookies and cache in your browser, delete the Varnish cache, and use Cloudways Platform to restart the Apache webserver.

Step# 2

Now is the time to check to see if your website has a HSTS policy in place. There are a few ways to do this. A third-party tool called SecurityHeaders is what we suggest you use. We are scanning a fake website that doesn’t have any content and only uses HSTS as a security header. You can see that it shows ✓ Strict-Transport-Security, which means that your website has a HSTS policy in place.

HSTS Preload List

When someone visits a website, their browser has to see the HTTP Strict Transport Security (HSTS) header at least once before it can use it on future visits. This is not a good thing. So, they will have to go through the process of switching from HTTP to HTTPS at least once. This leaves them open to attack the first time they visit a website that uses HSTS.

Google made the HSTS Preload List to deal with this problem. This list includes all the websites and domains that are on an approved HSTS list that meets some simple requirements. The browser already has this list installed. Other browsers, like Internet Explorer, Firefox, Safari, and Opera, also have their own HSTS Preload Lists that are based on Chrome’s.

This is what you need to do to get your website on the HSTS Preload List.

  1. A valid SSL/TLS certificate should be in your app.
  2. Your app should make HTTPS redirections happen.
  3. All subdomains should be served over HTTPS. For example, if there is a DNS record for www.testwebsite.com, you must support HTTPS for that subdomain.
  4. For HTTPS requests, add a HSTS header to the base domain.
  • The preload token directive needs to be set up.
  • The maximum age has to be at least 31536000 seconds, which is a year.
  • You need to define the includeSubDomains directive.
  • In the event that you serve an extra redirect from your HTTPS site, it must still have the HSTS header and not the page it goes to.

There are certain rules that your website must follow in order to be added to the HSTS Preload List. If you add a website to this list, it will be built into future versions of Chrome. It makes sure that people who visit websites using the latest versions of Chrome stay safe.

SEO Impact on HSTS-enabled Website

When your site is added to the HSTS preload list, SEO tools may warn you about 307 redirects. People who try to access your website using the unprotected HTTP protocol will get this message. Instead of a 301 redirect, a 307 redirect will happen.

A 307 redirect is only temporary, while a 301 redirect is permanent. If your SEO tools only show a 307 redirect, that doesn’t mean a 301 redirect isn’t happening. As you can see, 307 redirect happens at the browser level, while 301 redirect happens at the application level. You can use any online redirect checker tool to look at your website and see if 301 redirect is working. For example, https://testwebsite.com/ works well.

HTTP Strict Transport Security (HSTS) is something you now know about. After installing an SSL certificate, Cloudways suggests that you follow some other safety steps besides putting in place the HSTS (HTTP Strict Transport Security) policy.

There you have it! We hope this post was useful. Get in touch with our expert team if you have any questions or need help setting up HSTS on your website.