Understanding HSTS and How to Enable It on VergeCloud

HSTS (HTTP Strict Transport Security)

What Is HSTS (HTTP Strict Transport Security)?

HTTP Strict Transport Security (HSTS) is a critical web security mechanism that forces browsers to connect only via HTTPS. Once a browser receives the HSTS policy from your website, it automatically upgrades all HTTP requests to HTTPS for a defined duration, eliminating the risk of downgrade attacks and insecure connections.

Why Use HSTS?

HSTS improves your website's security by:

  • Enforcing encrypted HTTPS connections.

  • Preventing SSL stripping and downgrade attacks.

  • Reducing the risk of man-in-the-middle (MITM) exploits.

  • Enhancing your site's SEO trustworthiness and browser reputation.

How HSTS Works

  1. Initial Secure Visit: A user visits your website over HTTPS.

  2. HSTS Header Delivered: Your server responds with a Strict-Transport-Security header.

  3. Enforcement Begins: For the duration specified in max-age, all future HTTP requests are auto-upgraded to HTTPS by the browser.

  4. Preload Option: If your domain is in the HSTS preload list, even the first visit is forced to use HTTPS.

HSTS Header Example

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

  • max-age=31536000: Forces HTTPS for 1 year.

  • includeSubDomains: Extends policy to all subdomains.

  • preload: Submits your domain to browser preload lists for universal enforcement.

How to Enable HSTS on VergeCloud

  1. Log into VergeCloud Panel: Visit panel.vergecloud.com.

  2. Choose Your Domain: Navigate to the CDN or domain management area.

  3. Go to HTTPS Settings: Open the HTTPS or security configuration.

  4. Enable HSTS: Set the desired max-age, optionally enable includeSubDomains and preload.

  5. Save Changes: VergeCloud will apply the header across its edge network.

  6. Verify Header:

    curl -I https://yourdomain.com

Web Server Configuration Examples

Apache:

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

Nginx:

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

Best Practices & Considerations

  • ✅ Ensure a valid and unexpired SSL certificate is always active.

  • ⚠️ Do not enable includeSubDomains unless all subdomains support HTTPS.

  • 🔐 Understand preload implications — removing your domain from the list takes time.

  • 🧠 Be aware of browser caching: Once enforced, changes won't take effect until max-age expires.

Common Use Cases

  • Enforcing HTTPS for eCommerce, banking, and login pages.

  • Ensuring subdomain integrity in multi-tenant apps.

  • Securing APIs and administrative interfaces from downgrade attacks.

    • Related Articles

    • Content Security Policy (CSP)

      Content Security Policy (CSP) Header The Content Security Policy (CSP) header is a robust web security feature designed to prevent a variety of attacks, including Cross-Site Scripting (XSS), clickjacking, and other code injection threats. By defining ...

    • Understanding VergeCloud CDN Headers

      Intoduction When a website utilizes VergeCloud CDN for performance enhancement and security, visitor requests are directed to VergeCloud’s CDN servers instead of directly reaching the website's main server. In return, the CDN edge server sends ...

    • Understanding the Set-Cookie Header

      Understanding the Set-Cookie Header and Caching Behavior The Set-Cookie HTTP response header is used by servers to store cookies on the user's browser. These cookies enable stateful sessions, user personalization, and authentication workflows. ...

    • How to Create PEM File?

      PEM files play a critical role in website security and encrypted communications. Whether you're managing HTTPS certificates, setting up secure email, or working with APIs, understanding how to create and use PEM files is essential for developers and ...

    • Cross-Origin Resource Sharing (CORS)

      Cross-Origin Resource Sharing (CORS) Header Cross-Origin Resource Sharing (CORS) is a critical web security feature that allows servers to specify who can access their resources and how those resources can be accessed. By defining CORS policies, you ...