Website is all about promoting the business and it will come across various unwanted attacks and spammers. Likewise, giving a cover to the website in the form of security is highly important, especially to keep away threats and hackers.
If your website uses an SSL certificate to show HTTPS then you can opt for this HSTS security Which is like the HSTS security header. In this article, check everything about the HSTS.
What is HSTS?
HSTS is a security mechanism that ensures browsers are always connected to a website using HTTPS, even if the user initially typed in HTTP. This helps to protect against man-in-the-middle attacks and cookie hijacking
How HSTS Works?
The server sends an HSTS header: When a website is accessed for the first time using HTTPS, the server can send an HSTS header in the response. This header informs the browser about the duration for which it should only use HTTPS for this website.
The browser stores the policy: The browser stores this HSTS policy for the specified duration.
Enforced HTTPS: For the duration of the policy, the browser will automatically redirect any HTTP requests to HTTPS, even if the user manually types in HTTP.
Benefits of HSTS
Prevents downgrade attacks: An attacker cannot force a downgrade from HTTPS to HTTP.
Protects against cookie hijacking: Cookies are always sent over HTTPS, reducing the risk of interception.
Enhances user trust: By defaulting to HTTPS, users are more likely to trust the website.
HSTS Header
The HSTS header is added to the HTTP response and has the following format:
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
max-age: Specifies the duration in seconds for which the browser should enforce HSTS.
includeSubDomains: Indicates that the HSTS policy applies to all website subdomains.
preload: Requests that the browser preloads the HSTS policy.
Preloading HSTS
Preloading HSTS means submitting your website to a preloaded list maintained by major browsers. This ensures that the browser enforces HSTS even for the first visit to the website.
Important Considerations
- Deployment: HSTS should be enabled only after ensuring that all resources on the website are served over HTTPS.
- Max-age value: Choose a suitable max-age value based on your website’s security requirements and update frequency.
- Testing: Thoroughly test your website with HSTS enabled to identify and address any issues.
- Subdomains: Carefully consider whether to include subdomains in the HSTS policy.
By implementing HSTS, you significantly enhance the security of your website and protect your users from potential attacks.
HSTS Browser Support
HSTS is widely supported by modern web browsers. Here are the major browsers that support HSTS:
- Google Chrome
- Mozilla Firefox
- Safari
- Opera
- Microsoft Edge
- Internet Explorer (with some limitations)
Note: While Internet Explorer has some support for HSTS, it’s generally recommended to focus on modern browsers for optimal security and compatibility.
How to Enable HSTS in Apache?
Prerequisites:
- A valid SSL certificate is installed and configured for your website.
- Apache web server with the mod_headers module enabled.
Steps:
Enable the mod_headers module: If not already enabled, enable the mod_headers module for Apache. This module is typically included in standard Apache installations but might need to be enabled:
sudo a2enmod headers # For Debian/Ubuntu systems
sudo apachectl -M | grep headers_module # Verify if it’s enabled
- Locate your virtual host configuration file: This file usually resides in the /etc/apache2/sites-available directory. Find the configuration file for your website.
- Add the HSTS header to your virtual host: Open the configuration file and add the following line within the <VirtualHost> section for your HTTPS site (typically port 443):
Apache
<VirtualHost *:443>
# Your SSL configuration here
Header always set Strict-Transport-Security “max-age=31536000; includeSubDomains; preload”
</VirtualHost>
Use code with caution.
Replace 31536000 with the desired maximum age in seconds (one year in this example).
-
- max-age: Specifies the duration in seconds for which the browser should enforce HSTS.
- includeSubDomains: Indicates that the HSTS policy applies to all website subdomains.
- preload: Requests that the browser preloads the HSTS policy.
- Enable the configuratio0n: If you’re using a system like Debian or Ubuntu, you’ll need to enable the configuration file:
Bash
sudo a2ensite your_site_name.conf
Use code with caution.
Replace your_site_name.conf with the actual name of your configuration file.
- Restart Apache: For the changes to take effect, restart the Apache web server:
Bash
sudo systemctl restart apache2 # For systemd-based systems
sudo service apache2 restart # For older systems
Use code with caution.
Important Considerations:
- Preload List: Consider submitting your website to the HSTS preload list for maximum effectiveness.
- Testing: Thoroughly test your website with HSTS enabled to ensure everything functions correctly.
- Security: Ensure that all resources on your website are served over HTTPS before enabling HSTS.
By following these steps and considering the important points, you can effectively implement HSTS for your Apache web server and enhance your website’s security.
How to Enable HSTS in Ngnix?
Prerequisites:
- A valid SSL certificate is installed and configured for your website.
- Nginx web server installed and running.
Steps:
- Locate your server block configuration: This file is usually found in /etc/nginx/sites-available/. Find the configuration file for your website.
- Add the HSTS header: Open the configuration file and add the following line within the server block for your HTTPS site (typically port 443):
Nginx
server {
listen 443 ssl;
# … other server directives …
add_header Strict-Transport-Security “max-age=31536000; includeSubDomains; preload” always;
}
Use code with caution.
-
- max-age=31536000: Specifies the duration in seconds for which the browser should enforce HSTS (one year in this example).
- includeSubDomains: Indicates that the HSTS policy applies to all website subdomains.
- preload: Requests that the browser preloads the HSTS policy.
- always: Ensures the header is sent for all responses, including error pages.
- Enable the configuration: If you’re using a system like Debian or Ubuntu, you’ll need to enable the configuration file:
Bash
sudo ln -s /etc/nginx/sites-available/your_site_name.conf /etc/nginx/sites-enabled/
Use code with caution.
Replace your_site_name.conf with the actual name of your configuration file.
- Restart Nginx: For the changes to take effect, restart the Nginx web server:
Bash
sudo systemctl restart nginx
Use code with caution.
Important Considerations:
- Preload List: Consider submitting your website to the HSTS preload list for maximum effectiveness.
- Testing: Thoroughly test your website with HSTS enabled to ensure everything functions correctly.
- Security: Ensure that all resources on your website are served over HTTPS before enabling HSTS.
By following these steps and considering the important points, you can effectively implement HSTS for your Nginx web server and enhance your website’s security.