E-Mail has been successfully sent.
FAQ #3936
Artikel editieren
Artikel weiterleiten

What is HTTP Strict Transport Security (HSTS)?

HTTP Strict Transport Security (HSTS) is a web security policy mechanism that helps to protect websites against protocol downgrade attacks and cookie hijacking by forcing web browsers to communicate with a website only through secure HTTPS connections.

Table of contents Table of contents

How does HSTS work?

When a web browser receives an HSTS policy from a website, it will only communicate with the website through a secure HTTPS connection and will automatically reject any attempt to communicate over an insecure HTTP connection.


What are the benefits of using HSTS?

The main benefits of using HSTS are increased security for website visitors and improved website performance by eliminating the need for extra redirects from HTTP to HTTPS.


How do I know if my website has HSTS enabled?

You can check if your website has HSTS enabled by using online tools such as a HTTP Header Checker or by checking the browser's security information for the website.


How do I enable HSTS on my website?

You can enable HSTS on your website by adding a header to the HTTP response that your server sends to web browsers. The header in your .htaccess file should include the "Strict-Transport-Security" field and specify the maximum age of the policy.


Example:
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS

Header onsuccess unset Strict-Transport-Security

  • max-age specifies the time in seconds that the browser should remember the HSTS policy for this site. In this example, it's set to 31536000 seconds, which is equivalent to one year.
  • includeSubDomains applies the HSTS policy to all subdomains of the domain specified in the Host header.
  • preload indicates that the website owner has submitted their domain to the HSTS Preload List, as described on https://hstspreload.org/.


Can I preload HSTS for my website?

Yes, you can preload HSTS for your website by submitting it to the HSTS preload list maintained by Chrome and also used bij Firefox, Safari and Edge. Once preloaded, web browsers will automatically enforce HSTS for your website without the need for an initial HTTPS connection.


What are the criteria for preloading HSTS?

To be eligible for preloading, your website must meet the following criteria:

  • Have a valid HTTPS (SSL) certificate.
  • Redirect all HTTP traffic to HTTPS.
  • Serve all subdomains over HTTPS.
  • Have a maximum age of at least 1 year (31536000 seconds) in the Strict-Transport-Security header.

You can check your website's eligibility for preloading on the HSTS preload list website.


How do I submit my website to the HSTS preload list?

You can submit your website to the HSTS preload list by using the submission form available at https://hstspreload.org/.


How often should I renew my HSTS policy?

It is recommended to renew your HSTS policy every year to ensure maximum security for your website visitors.

By implementing HTTP Strict Transport Security (HSTS), you can improve the security and performance of your website for your visitors.

Was this article helpful?
Info: 1aac4d25a7cfe59e2811e00ce467b01ce3d86e3c