HTTP Strict Transport Security:HSTS is a very powerful browser. It is a web server directive, which instructs web browser how to deal with its connection through a response header. These response headers are sent at the beginning and back to the browser. It increases the website security level by ensuring connection over https:// encryption. Basic features of this technology are:
1) It eliminates the ability of HTTPS to be degraded to HTTP
2) Ensures 100% secure information exchange
3) Reduces attacks from hacker significantly
4) Available for Google Chrome and Mozilla Firefox
If you are running a website, which contains sensitive data or important information, it is advisable to implement HSTS. In case you are running a site that doesn’t contain any personal data, you may not be able to utilize the full benefits of HSTS.
Advantages of HSTS
HSTS features are designed to focus on preventing the ‘middle man attack’. These kinds of attacks are done to steal sensitive information and credentials of the website. Forcing every communication to be sent via HTTPS prevents these attacks. This is done by instructing the web browser to not to send any kind of traffic over the HTTP protocol.
Two main security advantages of HSTS are:
1) Automatically redirects any assets that are referenced in HTML generated by your website to be called through https:// instead of http://. This will ensure that the source from which the content is coming is a valid SSL certificate.
2) The browser will automatically eliminate the ability to override the certificate warning in case the website uses an invalid SSL certificate. It also prevents access to such websites.
Features of HSTS
There are two main features implemented by HSTS. Let’s discuss these one by one in detail.
1) HSTS Sub-domain Name space: Along with protecting domain name, HSTS is also enforced to all sub-domains. This may not be very beneficial to some organizations as they may be reliant on http:// sub-domains for external resources.
2) HSTS Pre-load List: HSTS has a pre-loaded list that will see whether the particular domain can use HSTS. This built-in list, which is loaded in all the browsers are used nowadays. This increases the protection by enforcing https:// to all the queries sent to a domain.
How do I implement HSTS?
SSL (Secure Socket Layer) certificates are widely used to enhance website security. There are different types of SSL certificates available in the market. It depends upon the requirement of the individual that which SSL certificate he should opt. For example:
• If you contain sub-domains in your websites content structure, Wild card certificate is what you need to only cover https://.
• In case only the main domain needs protection, the Domain validation SSL certificate will do the job.
To implement HSTS, follow the following steps:
1) Check the validity of the SSL certificate of your website
2) Redirect all the http:// links to https://
3) Cover all the sub-domains with wild card SSL certificate
4) HSTS header should be served on the base domain for https:// request and set Max-age to at least 18 weeks
5) Specify preload directives and ‘include subdomains’ directives
Failing to fulfill these requirements (1-5) will result in the removal of your listing.
HSTS has been around for years providing a high level of security. It takes a few minutes to install HSTS. This not only secures sensitive data but provides protection from hacker’s attack and also improves the SSL score. To implement HSTS, you simply need to follow a few above mention steps and you'll be good to go.
If you need more information regarding Digital Certificate. Give us a call on +1 (888) 606-7330. We will also help you to provide Comodo SSL Certificate for domain and sub-domain to secure your online business website.