This article will demonstrate the steps of enabling the HTTP Strict Transport Security (HSTS) policy for your website. You will also learn what HSTS is and the importance of enabling the HSTS policy. Enabling the HSTS policy is one of the safety measures that Cloudways recommend after deploying the SSL Certificate, and forcing HTTPS redirection. In order to implement the HSTS policy, you need to add a rule in the .htaccess file of your web application.
What is HTTP Strict Transport Security (HSTS)?
HTTP Strict Transport Security (HSTS) is a web security policy and web server directive launched by Google in July 2016. It is a method used by websites that set regulations for user agents and a web browser on how to handle its connection using the response header sent at the very beginning and back to the browser.
This sets the Strict Transport Security policy field parameter. This forces the website to load on HTTPS protocol and disregards any script calling to load any of your website content over HTTP protocol.
Why Enable HTTP Strict Transport Security (HSTS)?
Enabling HSTS will revoke SSL protocol attacks and cookies hijacking. It will also allow websites to load faster by removing a step in the loading procedure. As you might know that HTTPS is a massive improvement over HTTP, and it is not vulnerable to being hacked. Still, a very common hack exists for those websites that force HTTPS redirection to send visitors from an HTTP to HTTPS version of the website, and it is called SSL Stripping and comes under the category of Man-In-The-Middle (MITM) attacks.
Let’s see how this 301 permanent redirect and 302 temporary redirect work to understand the SSL Stripping. In this example, we are using a dummy website to demonstrate the flow.
A visitor types anotherwebsite.ga in the browser’s address bar.
The browser initially tries to load http://anotherwebsite.ga as the default.
anotherwebsite.ga is using 301 permanent redirects to https://anotherwebsite.ga.
The browser sees the redirect and then load https://anotherwebsite.ga instead.
Hackers can utilize the time between step 3 and step 4 with SSL Stripping to block the request of redirection and stop the browser from loading the website over HTTPS protocol. Therefore, chances are high for any data to get stolen if hackers access an unencrypted and unsecured version of the website. These intruders can also redirect you to a clone version of the website you are trying to access and steal all of your data as you enter it, even if it looks secure.
Hence, enabling HSTS will oblige the browser to load the secure version of a website and ignore any calls or redirect requests to load a website over the HTTP protocol. This closes the redirection vulnerability that exists with a 301 and 302 redirect.
How to Enable HTTP Strict Transport Security (HSTS) Policy
Here are a few steps that can help you enable the HSTS policy so you can protect your website’s visitors.
It is recommended that you take an on-demand backup of your web application before proceeding further so that you can always restore to the previous point if anything goes wrong while enabling the HSTS policy.
Before enabling the HSTS policy, you need to make sure that the SSL Certificate is deployed on your website, and HTTP to HTTPS redirection is implemented. The following kinds of SSL Certificates can be installed using the Cloudways Platform.
Now, you need to connect to your server remotely via SSH so you can access the .htaccess file of your application.
You can connect to your server via SSH in two ways, so choose your preferred option from the below options. You can also click on the hyperlink text of bullet points to learn about the procedure of connecting remotely to the server.
In this example, we have used the Cloudways Integrated SSH Terminal. You will see a similar window after a successful connection as shown below:
Now, you need to go to that specific directory where your webroot is located. In other words, where your .htaccess file is located. By default, it is in the public_html directory so enter a command mentioned below to go into the public_html folder.
Angle brackets are included to indicate the position of your input, so make sure to remove the angle brackets. Your application name is the same as your Database name (DB name). Click Here to find out where your application name is located.
Here comes the final step of editing the .htaccess file and adding the HSTS rule. Executing the below command will open the file for editing.
Once the file is opened, you need to press i key to go into the editing mode. You will see – – INSERT – – at the bottom of your screen after pressing the key.
You need to use arrow keys for the cursor navigation.
Then, copy this HSTS rule and paste the rule before the instance where it says # BEGIN WordPress.
To paste the rule after copying, you need to press CTRL+SHIFT+V.
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS
This rule defines one-year max-age access, which includes your website’s root domain and any subdomains. Once the browser has accessed the website, then it will no longer be able to access the unsecured version (HTTP) of a website for a year. Please make sure that all subdomains are covered in your SSL Certificate, and HTTPS redirection is enabled. If you fail to do so, then your subdomains will no be accessible after saving changes in the .htaccess file.
Before adding the one-year max-age, test your entire website with five minutes max-age first using: max-age=300;
Finally, press the ESC key to exit the editing mode and then type and run the below command to save the changes.
This command can’t be copied and pasted, you need to type the command and hit Enter key.
Post Implementation Steps of HSTS
There are a few steps you need to make sure you execute after editing the .htaccess file for the successful implementation of all the changes.
It's time to verify if your website has an HSTS policy implemented or not, and there are a couple of methods to verify it. We recommend using a third-party tool called SecurityHeaders. In this example, we are scanning a dummy website that has no content and has no other security headers implemented besides HSTS, and as you can see that it shows ✓ Strict-Transport-Security which means that your website has an HSTS policy working.
HSTS Preload List
There is also a negative side to HTTP Strict Transport Security (HSTS) policy that visitor’s browser has to see the HSTS header at least once before it can take advantage of it for future visits. This means that they will have to go through the HTTP to HTTPS process at least once, leaving them vulnerable the first time they visit an HSTS-enabled website.
To encounter this, Google introduced the HSTS Preload List, which lists all those websites and domains under an approved HSTS list that complies with simple criteria, and this list is built into the browser. Similarly, other internet browsers such as Internet Explorer, Firefox, Safari, and Opera have their own HSTS Preload Lists, which is based on Chrome’s HSTS Preload List.
The following are the criteria to list your website for this HSTS Preload List.
Your application should have a valid SSL/TLS certificate.
Your application should force HTTPS redirection.
Serve all subdomains over HTTPS protocol. In particular, you must support HTTPS for www.subdomain if a DNS record for that subdomain exists.
Serve an HSTS header on the base domain for the HTTPS requests.
The preload token directive must be defined.
The max-age must be at least 31536000 seconds (one year).
The includeSubDomains directive must be defined.
If you are serving an additional redirect from your HTTPS site, that redirect must still have the HSTS header rather than the page it redirects to.
If your website adheres to this set criteria, then you may submit your HSTS-enabled website to the HSTS Preload List. Websites added to this list will be hardcoded into future releases of Chrome. It makes certain that visitors visiting websites using updated versions of Chrome remain secured.
SEO Impact on HSTS-enabled Website
You may see warnings from SEO tools about 307 redirects once your website is added to the HSTS preload list. This happens when someone tries to access your website on the unsecured HTTP protocol, and as a result, a 307 redirect happens instead of a 301 redirect.
301 is a permanent redirect, whereas 307 is a temporary redirect, but if your SEO tools only show 307 redirect, then it does not mean that 301 redirect is not happening. 307 redirect is taking place at a browser-level; whereas, 301 redirect is occurring at the application level. You can scan your website by using any redirect checker tools available online to verify if 301 redirect is happening or not, we recommend using httpstatus.
You have learned about HTTP Strict Transport Security (HSTS). There are some other safety measures that Cloudways recommend you should take after installing an SSL certificate besides implementing the HSTS (HTTP Strict Transport Security) policy.
That’s it! We hope this article was helpful. If you need any help, then feel free to search your query on Cloudways Support Center or contact us via chat (Need a Hand > Send us a Message). Alternatively, you can also create a support ticket.