Along with DNSSEC, HTTP Strict Transport Security (HSTS) is an important but under-implemented web security protocol. Unlike DNSSEC though, HSTS seems to finally be on its way, slowly but steadily, toward widespread implementation. HSTS is currently used by about 12.5% of all websites, and is supported by newer versions of major web browsers.
Basically, HSTS tells web browsers to accept only HTTPS connections from my site. Insecure HTTP connections should be rejected. According to Cloudflare, HSTS “… protects secure websites from downgrade attacks, SSL stripping, and cookie hijacking.” But there is a downside: “… once HSTS is turned on, your website must continue to have a valid HTTPS configuration conforming with the HSTS header to avoid making the website inaccessible to users” (emphasis added).
That second, scary part is no doubt one of the factors holding back wider implementation of HSTS. But really, it isn’t that scary. I should already be committed to using HTTPS on all my sites, all the time, for security as well as SEO and performance reasons. The only valid reason I can think of to not use HTTPS is if my web host does not offer Let’s Encrypt or other free SSL certificate. In that case I should (and did, a few years ago) switch web hosts.
One small caveat, when I enable HSTS I should (at least it makes sense to me) also enable Always use HTTPS and Automatic HTTPS Rewrites. But, again, I should enable these anyway.
As I’ve mentioned in several previous posts, Cloudflare, even the free tier, is awesome. As it does with so many otherwise daunting web chores, Cloudflare makes setting up HSTS easy-breezy. I just enable it on the SSL/TLS tab, and disregard the dire warning (“… once HSTS is turned on, your website must continue to have a valid HTTPS configuration …”). As an extra bonus, Cloudflare allows me to select Preload: “Without preload, HSTS is only set after an initial successful HTTPS request, and thus if an attacker can intercept and downgrade that first request, HSTS can be bypassed. With preload, this attack is prevented.”
Once I get HSTS setup, I can check it using the Qualys SSL Server Test.
I just love getting A+.
