Few years back “http” was the primary protocol used on the websites but as the time and internet grows, vulnerabilities also grows and to fix such issues “https” came into existence.
In 2022, today SSL/TLS channel are default mode of deployment. While setting up your project online you can generate a free certificate from either Let’s encrypt or your hosting provider like AWS, Azure and our favorite Cloudflare
After installing the certificate, and setting up a basic 301 redirect from http to https we can assume our data and the visitors data is completely safe now?
Unfortunately the visitor’s data is still not secure because the web entities might be vulnerable to the MITM attacks i.e “Man in The Middle”
What is MITM (Man In The Middle)
MITM attacks have become a new normal online after the introduction of “https” protocol. According to Netcraft – 95% of HTTPS servers vulnerable to MITM , MITM attacks were thought to pose a threat to 95% of HTTPS servers in 2016. Source – NetCraft
It is important for the web developers to protect users data and secure the websites.
Here is how the Whole MITM works, A user sends a http request to the server and MITM reads the request. Server gives the result after a 301 redirect. With the help of fake access point redirect the MITM redirects the information to you with insecure protocol while the MITM having the access to the whole information you just requested from the server.
The crazy part of this attack which is called as SSLtrip attack will not be noticed by a common user online.
Some other attacks like cookie hijacking, fake persona websites like examp1e.com for a website example.com etc
We can talk about these type of web attacks in a separate lesson in detail.
What Is HSTS?
HSTS stands for hyper strict transport security. Originally it was called STS but later on it was called HSTS IN 2012.
What it does mainly by telling the server to strictly communicate in the secure protocol
Here is an explanation about how the server interacts with HSTS and without HSTS
Why Should We Use HSTS?
So what are some benefits that we should use HSTS. It gives additional benefits regarding SEO & Security. Such benefits can help you boost your SEO efforts indirectly
Page Load Speed Improvement
With the implementation of HSTS policy, the first non seure request only the secure version is requested and which leads to improve the time taken from an insecure version and redirect to secure version is reduced which may lead to indirect benefits in SEO & organic rankings in the SERP
Security Improvement
Security on a website is extremely important and today google even directs the website owners to only serve the HTTPS versions of the website otherwise the browsers give a security warning to the end user. A secure website makes the end user experience better and secure. With HSTS implementation the initial non secure request which can be exploited by the MITM. The initial non secure data can be hijacked by the MITM and this puts the data of users in danger. So HSTS makes the websites more secure for the end user
Downsides of HSTS Protocol
However the HSTS protocol gies you indirect SEO benefits and security edge but it is also reported to have a few downsides.
- preload, If you have to revert your website to http version in future, the browser might not remove the entries from its list for months, which could be frustrating if you are troubleshooting or want to serve http in future for some reason. However thi is rare case scenario and you might not need to worry about this at all.
- includeSubDomains, You might have to secure all your subdomains secure to keep the certificates up to date.
- max-age Once you set max age in you htaccess then if a user have already visited your site with secure version, then for whatever reason you want to serve him unsecured version that might not be possible. Again its a rare case scenario
- HSTS policy is activated if a user has already visited your page earlier while the first request is still the non secure request
HSTS Implementation
Now let’s discuss how to implement HSTS. Most of the hosting companies hae implemented it on the server side itself you just have to fix it on yor end. You can even follow this HSTS cheat sheet. But for easy explanation follow the below steps for implementation
HSTS Implementation in Apache
This can be done by going to the hosting account’s file manager or if you have FTP access then you can do it via same. Here is how toimplement this
- Locate your htaccess file in the hosting server. If you are unable to find it, then go to settings and click show hidden files
- Once you have opened the htacces file, then add the following code in the file and click save
- For filezilla foolow the exact same method by looking for your htaccess file after you have enabled show hidden files.
Add the following code into your htaccess file
Header set Strict-Transport-Security “max-age=31536000” env=HTTPS
If you want o include the subdomains to the protocol as well use the following code
Strict-Transport-Security: max-age=31536000; includeSubDomains
In this way you have successfully implemented the HSTS protocol on your server
To learn how to implement HSTS on self hosted servers and vps go to this awesome guide on htsts.
However I recommend you to use professionals help either your hosting provider or a developer to implement this
Testing HSTS implementation
Now as you have implemented the HSTS protocol, for testing if you have done it right then follow the extract methods to test the results
1. Visit the website you just implemented the HSTS protocol in your browser
2. Now click the settings icon in the right side to open customization setting in your browser
3. Go to More Tools > Developer Options
4. Now a console will open, click on the network tab and refresh the page you want to test
5. Click on the first request in the console and look for “strict-transport-security” in the list
6. If you see such entry in the console then your website is successfully using HSTS protocol
So this is how you can implement the HSTS policy. However if are a newbie blogger and don’t know anything about it then ask your hosting provider to implement it for you. They know the stuff much better than you and will implement this on your website
Conclusion
So this is how you can implement HSTS on your website or blog. This concept has been introduced from around 2012 but only got attention of the seo’s and website developers when google made security on the website compulsory. There are many benefits of using HSTS security protocol with very little downsides.
Let me know in the comment section if you were able to implement the same. If you have any question regarding this just let me know. I would love to help you out with this