What Is HSTS (HTTP Strict Transport Security)?

HTTP Strict Transport Security (HSTS) is a security feature that forces web browsers to connect only via HTTPS for a specified duration. Once the browser learns about HSTS from a site, it upgrades all subsequent HTTP connections to HTTPS automatically, eliminating the risk of man-in-the-middle attacks that rely on unencrypted traffic.

Key Components of HSTS

• Strict-Transport-Security Header: An HTTP response header instructing the browser to enforce HTTPS. Example:
  

  Strict-Transport-Security: max-age=31536000; includeSubDomains

• max-age: The number of seconds during which the browser should force HTTPS. For instance, max-age=31536000 equals one year of HTTPS enforcement.
• includeSubDomains: Applies HSTS to every subdomain. All subdomains must support HTTPS to avoid accessibility issues.
• preload: If your domain meets HSTS preload criteria, you can submit it to the official preload list so browsers always use HTTPS from the first request.

How HSTS Works

1. Initial Secure Visit: A user visits your site over HTTPS. Your server responds with the Strict-Transport-Security header, instructing the browser to remember HTTPS for the duration specified in max-age.
2. Automatic HTTPS Enforcement: For the set max-age period, any attempt to connect over HTTP is internally upgraded to HTTPS before leaving the browser.
3. Prevents Downgrade Attacks: Attackers attempting to strip or downgrade HTTPS cannot force HTTP usage once the browser enforces HSTS.

Recommended Steps to Implement HSTS

1. Obtain a Valid SSL Certificate: Because HSTS enforces HTTPS, your site must have a valid, regularly renewed certificate to prevent locking out users.
2. Add the HSTS Header: Configure your web server to send the Strict-Transport-Security header. Examples:
   

   # Apache (e.g., .htaccess or virtual host config):
   Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
   
   # Nginx (inside server block):
   add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
       

3. Test and Validate: Use curl -I https://yoursite.com or browser developer tools to confirm the header appears and is correct.
4. Consider Preloading: If you want your domain to always use HTTPS from the first visit, meet the preload criteria and submit your domain.

Example HSTS Header

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

This header enforces HTTPS for a year (max-age=31536000) on all subdomains and indicates an intent to preload.

How to Enable HSTS in VergeCloud

1. Log into VergeCloud Panel: Access your VergeCloud account by navigating to https://panel.vergecloud.com.
2. Select Your Domain: In the CDN or domain management section, choose the domain you want to enable HSTS for.
3. Locate Security or HTTPS Settings: Depending on your plan or panel version, there may be a dedicated HSTS or “Strict Transport Security” toggle within the security or HTTPS configuration area.
4. Enable HSTS: Specify the max-age (e.g., 31536000 for one year) and optionally enable includeSubDomains and preload if you meet those requirements.
5. Save and Propagate: Once saved, VergeCloud applies the HSTS header. Your changes may take a short time to propagate globally across CDN edge servers.
6. Test HSTS on Your Site: Use curl -I https://yoursite.com or browser developer tools to confirm the Strict-Transport-Security header is returned in responses.

Considerations

• Lockout If Certificates Expire: HSTS means users cannot bypass errors if your SSL certificate is invalid or expired.
• Subdomain Requirements: If you include includeSubDomains, every subdomain must have a valid certificate.
• Preload Removal Delays: Once preloaded, removing your domain from lists can take time, as major browsers need updates.
• First Visit Without Preload: Unless on the preload list, the very first request could still be over HTTP, theoretically exposing a small window for attack before HSTS is enforced.
• Browser Cache Considerations: HSTS policies are cached by browsers based on the max-age directive. If you decide to disable or alter HSTS settings, existing users may continue to have HSTS enforced until the max-age period expires. This delay can lead to inconsistent behavior, where some users still experience HTTPS enforcement while others see changes, potentially causing access issues or mixed content problems.