Understanding HSTS and How to Enable It on VergeCloud

HSTS (HTTP Strict Transport Security)

What Is HSTS (HTTP Strict Transport Security)?

HTTP Strict Transport Security (HSTS) is a critical web security mechanism that forces browsers to connect only via HTTPS. Once a browser receives the HSTS policy from your website, it automatically upgrades all HTTP requests to HTTPS for a defined duration, eliminating the risk of downgrade attacks and insecure connections.

Why Use HSTS?

HSTS improves your website's security by:

  • Enforcing encrypted HTTPS connections.

  • Preventing SSL stripping and downgrade attacks.

  • Reducing the risk of man-in-the-middle (MITM) exploits.

  • Enhancing your site's SEO trustworthiness and browser reputation.

How HSTS Works

  1. Initial Secure Visit: A user visits your website over HTTPS.

  2. HSTS Header Delivered: Your server responds with a Strict-Transport-Security header.

  3. Enforcement Begins: For the duration specified in max-age, all future HTTP requests are auto-upgraded to HTTPS by the browser.

  4. Preload Option: If your domain is in the HSTS preload list, even the first visit is forced to use HTTPS.

HSTS Header Example

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

  • max-age=31536000: Forces HTTPS for 1 year.

  • includeSubDomains: Extends policy to all subdomains.

  • preload: Submits your domain to browser preload lists for universal enforcement.

How to Enable HSTS on VergeCloud

  1. Log into VergeCloud Panel: Visit panel.vergecloud.com.

  2. Choose Your Domain: Navigate to the CDN or domain management area.

  3. Go to HTTPS Settings: Open the HTTPS or security configuration.

  4. Enable HSTS: Set the desired max-age, optionally enable includeSubDomains and preload.

  5. Save Changes: VergeCloud will apply the header across its edge network.

  6. Verify Header:

    curl -I https://yourdomain.com

Web Server Configuration Examples

Apache:

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

Nginx:

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

Best Practices & Considerations

  • ✅ Ensure a valid and unexpired SSL certificate is always active.

  • ⚠️ Do not enable includeSubDomains unless all subdomains support HTTPS.

  • 🔐 Understand preload implications — removing your domain from the list takes time.

  • 🧠 Be aware of browser caching: Once enforced, changes won't take effect until max-age expires.

Common Use Cases

  • Enforcing HTTPS for eCommerce, banking, and login pages.

  • Ensuring subdomain integrity in multi-tenant apps.

  • Securing APIs and administrative interfaces from downgrade attacks.

    • Related Articles

    • Content Security Policy (CSP)

      Content Security Policy (CSP) Header The Content Security Policy (CSP) header is a robust web security feature designed to prevent a variety of attacks, including Cross-Site Scripting (XSS), clickjacking, and other code injection threats. By defining ...

    • Understanding VergeCloud CDN Headers

      Intoduction When a website utilizes VergeCloud CDN for performance enhancement and security, visitor requests are directed to VergeCloud’s CDN servers instead of directly reaching the website's main server. In return, the CDN edge server sends ...

    • Understanding the "Upgrade" HTTP Header and Its Impact on Your Website

      What is the "Upgrade" Header ? The Upgrade header is key for applications needing to switch protocols without creating new connections—like WebSockets. By configuring your server and VergeCloud to properly handle upgrade requests, you can maintain ...

    • Browser Caching and HTTP Headers with VergeCloud

      Understanding Browser Caching and HTTP Headers with VergeCloud Browser caching involves storing certain website resources on a user's browser, so they don't need to be downloaded every time they visit. Resources are stored in the browser's local ...

    • Understanding the Set-Cookie Header

      Understanding the Set-Cookie Header and Caching Behavior The Set-Cookie HTTP response header is used by servers to store cookies on the user's browser. These cookies enable stateful sessions, user personalization, and authentication workflows. ...