What is HSTS? HSTS Optimization Guide


HSTS (HTTP Strict Transport Security) is a security protocol that requires all connections to a website to be encrypted using the HTTPS protocol. Currently, Google applies HSTS to 45 top-level domains. Today let’s join WordPress tips find out more What is HSTS?How to optimize HSTS?

What is HSTS?

What is hst?

HSTS (HTTP Strict Transport Security) is a security protocol that requires all connections to a website to be encrypted using the HTTPS protocol. Currently, Google applies HSTS to 45 top-level domains, including domains ending in .google, .how, and .soy. HTTPS is an essential part of ensuring secure access to websites. Prevent attacks by intercepting requests, modifying or manipulating information between users and websites.

When we visit a website using http, data is first sent to the web server unencrypted. If this site is secured by https. It will send an immediate redirect request to the browser, to the URL with https://domain.com. But prior to redirection, requests sent over http can be hacked by intercepting the request and modifying the information in the request, resulting in the loss of session information about the site visit.

HSTS attempts to combat this potential vulnerability by telling the browser that this domain can only be accessed using HTTPS. When a site is HSTS enabled. When accessing this website via http, the browser will no longer send requests to the web server via http. Which web browser will automatically redirect to https and send request through https protocol to server. This is the answer to the question What is HSTS?? Now let’s see how HSTS works.

How does HSTS work?

How does hsts work?

When a user accesses the site via https or is redirected from http to https. The web server sends an HSTS header to the browser and saves this header for further requests. Then, if the user continues to visit the http://domain.com website, the browser will automatically redirect to https://domain.com. And send an access request to the web server via the secure https protocol. Instead of http, there is no HSTS. So do you know how HSTS works? Let’s find out how HSTS Optimization Please.

Optimization of HSTS


HSTS can increase the security of a website by requiring the browser to always use https for that page. However, HSTS is not a perfect solution to completely solve the problem of session hijacking when accessing HTTP. Users remain vulnerable if they visit a website protected by HSTS over HTTP when they have:

  • I have never visited this website
  • Reset browser
  • Use a new browser or device
  • Clear browser cache
  • Use an incognito browser

To solve this problem, Google uses the “HSTS preload list”. Group web domains and subdomains that use HSTS and are sent to https://hstspreload.appspot.com/. This list of domains is distributed and hard-coded into web browsers. Users accessing web domains in this list will automatically use HTTPS. Or be redirected to HTTPS if accessing via HTTP. If the web server does not support HTTPS, the access request will be denied. If you don’t know what is the optimal HSTS? So don’t miss this information

Install HSTS for Nginx

Add the STS (Strict-Transport-Security) header to the nginx vhost settings:

add_header Strict-Transport-Security “max-age=31536000; includeSubDomains” always;

With this setting we have:

  • add_header Strict-Transport-Security: Add STS to response header
  • max-age=31536000: STS header will expire after 1 year
  • includeSubDomains: Apply HSTS to all subdomains

The “always” setting allows headers for all responses, including internally generated error responses. Older versions of NGINX do not support the “always” parameter and do not header internally generated error responses.

By default, HSTS is cached by the browser. If you want to register this domain in “HSTS preload lis” on https://hstspreload.appspot.com/, you need to add bootstrap to settings:

add_header Strict-Shipping-Security “max -age=31536000; includeSubDomains” always; preload

How to disable HSTS for Nginx

To disable HSTS, just set the “max-age=0” parameter:

add_header Strict-Transport-Security “max-age=0; includeSubDomains” always;

See more : What is htaccess wordpress? Instructions for creating a simple .htaccess file

Here is a summary of the information What is HSTS?, how to optimize HSTS. Looking forward to reading the next articles of WordPress Tips Please


Rate items


Related Articles

Back to top button