HSTS (HTTP Strict-Transport-Security) is a security policy where the web server tells your browser that a website may only be accessed via HTTPS.
If you simply create a redirect from HTTP to HTTPS, your visitors will first land on HTTP - and here the browser communicates with an unencrypted version of your website. This allows a hacker to make a "Man-in-the-middle" attack where visitors can be redirected to a malicious page without them knowing.
Although activating HSTS is easy, it is important that you know how HSTS works. If HSTS is configured incorrectly, you may not be able to access your website.
Since HSTS requires the connection to your website is made via HTTPS, you may end up in trouble if your website (or subdomain websites) are not configured with an SSL certificate. If this is the case, your website will not be accessible for the number of seconds specified in max-age (this setting is explained below).
For the above reason, it is a good idea to test HSTS with a low value for max-age first, e.g. 3600 (1 hour). Should something go wrong, you can deactivate HSTS, after which you can access the website again after one hour.
If you do not preload your domain, browsers will only know that HSTS is activated when you first access the domain. You should not preload until you have finished testing.
It is very simple to activate HSTS on your domain (and subdomains). You just need to add the following to the top of your website's .htaccess:
Header always set Strict-Transport-Security "max-age = 63072000; includeSubDomains; preload"Here is an explanation of what the different parameters mean:
Strict-Transport-Security: Tells the browser that HSTS is specified for the domain.
max-age: This value indicates (in seconds) how long browsers should remember that HSTS is active for the domain. A value of 63072000 (2 years) is recommended.
includeSubDomains: Determines whether subdomains for the domain should also be included. This is optional.
preload: Specify this if the domain is to be preloaded. Read more about this below. This parameter is also optional.
Read the following about activating HSTS: https://hstspreload.org/#deployment-recommendations
Preloading is a way of telling all browsers that the domain uses HSTS before the individual browser accesses the website. Google maintains a preloading service called HSTSPreload. Although maintained by Google, the service is supported by most (if not all) browsers, such as Mozilla Firefox, Microsoft Edge, and Safari. After testing HSTS, it is recommended that you preload your domain.
hsts, ssl, https, Strict Transport Security
