Improve Performance & Security using HSTS with HTTPS


#1

What is HSTS?

HTTP Strict Transport Security (HSTS) is a web security policy mechanism, a HTTP header which declare browser to use only HTTPS for particular domain for a specific time-period.

What is Syntax for HSTS?

Strict-Transport-Security: max-age=<expire-time>
Strict-Transport-Security: max-age=<expire-time>; includeSubDomains
Strict-Transport-Security: max-age=<expire-time>; preload

Directives

max-age=<expire-time>
The time, in seconds, that the browser should remember that a site is only to be accessed using HTTPS.

includeSubDomains
If this optional parameter is specified, HSTS rule applies to all of the site’s subdomains as well.

preload
Optional syntax used to add Domain in the Chrome Preload List which is maintained by Google.
Source: Firefox.

Live

Just an example

Try this in your browser http://yourname.gulshankumar.net

Your browser will automatically force HTTPS version: https://yourname.gulshankumar.net

This way it improves performance. I have been using this feature since a long time.

Does Google recommends using HSTS for a Webmaster?
Yes, they recommend.

How to Implement for your website?

  1. Ask your hosting team to enable HSTS.

  2. via W3TC Total cache plugin: Check Apply HTTP Strict Transport Security policy at Browser cache page.

  3. Using Cloudflare: Login to Cloudflare, Enable HSTS at Crypto page.

FAQs

  • What I need to know before implementing HSTS?
    If you are using HTTPS, and you commit to maintain it always. You should go for HSTS.

  • What will happen if someone try to access in HTTP or SSL goes expire?
    HTTP will be redirected to HTTPS. If SSL goes expire, visitor will see error page. I recently faced this problem when a subdomain related to email -
    tracking.gulshankumar.net was missing SSL certificate. I had two choice, either to install SSL at tracking subdomain or simply stop using it. I decided to discontinue because tracking was not of my use.

  • How about Chrome Preload list?
    Chrome Preload list is used by major browsers to force HTTPS for first time visitor. This list contains notable name such as Twitter, Facebook, etc. You can also submit at https://hstspreload.org

  • How much time it takes to get submitted in Chrome Preload list?
    Approx 2-3 months. Changes may possibly reflect in newer version browser.

I hope this helps. Please let me know if you have any question. :slight_smile:

Useful resources

DailyDose

Thanks & Regards,
Gulshan


Useful .htaccess code
[Guide] How to Setup W3 Total Cache Plugin?
How to Setup Free Cloudfare CDN for Wordpress (Tutorial)
Google launches .app domains with built-in HTTPS support
(I am a love charger) #2

this is interesting.

cc @razor


(I am a love charger) #3

i’ve redirect setup like:

http://example.com
301 Moved Permanently
https://example.com/
301 Moved Permanently
https://www.example.com/

Will HSTS work for me?


#4

Yes, it will work for sure.

HSTS requires pattern like below. Ref: Screenshot

http:// to https:// to https://www.gulshankumar.net

And, in below case is restricted, shouldn’t be used with HSTS.

http to direct https+www.


(I am a love charger) #5

Cool fact.

Majority of sites not using this, but some sites do, “Status: gmail.com is currently preloaded.”

@gulshankumar Any other examples?


#6

Please check bing.com, twitter.com, facebook.com
If someone is not using, because it’s bit technical.


(I am a love charger) #7

This is cool. I wonder how come a browser will save this setting, it uses cache power?


#8

Yes, you can say. It cache basically ‘force HTTPS’ request.

Additionally, interesting thing is for preloaded domain, browser completely don’t require http to https redirection at server level even for the first time visitor.

In Firefox, they load directly in HTTPS just after hitting enter. No point of HTTP. :slight_smile:


(I am a love charger) #9

Looks like adding the code
Header set Strict-Transport-Security "max-age=31536000" env=HTTPS

In htaccess will do this job? Sad that cloudways has no such feature :confused:


#10

Oh, just because majority of browsers uses Chrome Preload list which is maintained by Google.


#11

Yes, you can implement via .htaccess also.

<IfModule mod_headers.c>
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
</IfModule>

(Razor) #12

In sucuri, you can apply hsts to your site with a single button click. But as i have necessary redirections in place, i did not use hsts because site is being served at 100% https. But as per gulshans link, it seems Google recommends hsts. so i will implement it asap.


(I am a love charger) #13

Cloudways:

If customer requests to set this header. We always set using htaccess. It is better to set it via htaccess so that customer can also remove it from their end.


(I am a love charger) #14

Yep. See this also: https://security.googleblog.com/2017/09/broadening-hsts-to-secure-more-of-web.html


(I am a love charger) #15

you have direct redirection which is not recommended/possible in HSTS


#16

Unfortunately, majority of speed testing tool never bother for this little performance hack technique. I feel very angry to see when they recommend non-sense stuff like removing query string which doesn’t make sense at all except just for creating fancy clean URL for the assets. Most probably, it sometime cause issue with browser cache.


#17

Redirection 301 is required. Additionally, we can implement HSTS.


(Razor) #18

It causes issues with cdn cache. Not only browser cache.


(I am a love charger) #19

Yep, never had idea that HSTS exists. And it is cool, we should have been using it since the day we enabled HTTPS. Reduces server response and improves loading time for direct readers :smiley:


#20

Yes, it happens. They give lame excuse that some proxy server don’t cache query string contains URLs. However, till date I couldn’t find any such CDN. All quality CDN comes with proper option to respect query string. If version change, file must change. Or not change if setting is to ignore query strings.

For example, in Cloudflare it is best idea to keep Cache level standard in case of query string.