HSTS is something every website owner should know about, and in this post, I'm going to be talking about why you should use it, and how to use it.

Why do I need HSTS?

HSTS is an important security header which can wildly improve the security of your site. To understand why its needed, lets talk about how you load a webpage:

When you hit enter to navigate to a site, your browser connects to said site over http, as its the default protocol. If you use https and have it set up to redirect to https, here is where the server issues a 301/302 redirect code to send you to the https version of the site. With HSTS, when you first navigate to the site, you see this HSTS header, and now remember that this site wants to to be seen over https only.

This really improves the security of the site, as your browser will not even attempt to communicate with that site over http, for as long as the HSTS header defines (the age is set in the max-age section of the header, which we will go onto later). This means that if I communicate to a site, any bad actors would not be able to tamper with the response, as all communications are forced to use https. Below is a diagram to help you visualize this:

A visualisation of how a computer communicates without HSTS vs with HSTS. A big security difference.

This still applies even if the user specifies to load the site over http. This does, however, come with some drawbacks, notably the fact that your site becomes inaccessible to users if your ssl certificate expires or is invalid for any reason:

Thats not good! An invalid SSL certificate means the site is now inaccessable.

But as long as you keep your ssl certificates valid, all should be fine. So now we know about how it works, lets talk about how to enable it. I'll be going over 2 webserver programs: nginx and apache.

Enabling HSTS

In this post, I will only be detailing how to enable HSTS for nginx and apache, but it is similar practice across most software. Here is a link which details how to enable HSTS for a variety of software: https://blog.appcanary.com/2017/http-security-headers.html#hsts.

Enabling HSTS on Apache

To start, you need to enable the Apache Headers Module, which can be done by running a2enmod headers. Then go to your virtual host, and enter the following to enable HSTS: Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains; This will set the HSTS header, with an expiration age of 1 year, and instructs the browser to also use HSTS for the subdomains. A reload of apache, and you're all done! You can test it out by scanning your site with https://securityheaders.com/. Scroll down and you should see something like this:

Huzzar! HSTS enabled.

Nginx is a similar process, which I will show you now:

Enabling HSTS on Nginx

Enabling HSTS is even easier on nginx. All we have to do is open up your server block, and add the following: add_header Strict-Transport-Security max-age=31536000;includeSubdomains;. We can reload nginx, and boom, HSTS enabled, with an expiration age of 1 year, and including all the subdomains, Like above, you can test your site on https://securityheaders.com/. You should see the same result as above too.

There we have it, we have now enabled HSTS on our site, and your users can feel a lot more secure. See how easy that was? We now have a site where our users aren't vulnerable to an SSL Downgrade attack. I hope you enjoyed this blog post. If you did, please feel free to share it with your friends, the more the merrier.

Need some more help? Feel free to contact me via the contact methods listed on my site. See you next time!