JOIN OUR AFFILIATE NETWORK

Join our affiliate network and become a local SSL expert

♦ learn more about our program ♦
Menu
picture of tbs certificates
picture of tbs certificates
Certificates
Our products range
Partners
Support
Focus


Enforce HTTPS with Strict Transport Security (HSTS)

Some web sites are conceived to only work in HTTPS. In that case the webmaster sometimes keeps its HTTP version functional with an HTTPS redirection. But this mecanism is not safe and the web site can be the victim of a MITM attack.

To avoid this, you can indicate browsers that the web site must be contacted in HTTPS only. The browser will then transform a http:// url into a https:// one.

That is what does HTTP Strict Transport Security (HSTS) which is implemented starting from Chrome 4, Firefox 4 and Internet Explorer 11. Enabling HSTS does not create errors or warnings for incompatible browsers.

The concept is simple: during an HTTPS connection, the server send back a Strict-Transport-Security header, indicating a https connection must be enforced and its timespan. The only thing to do is to configure your web server to send this HTTPS header, all yours users will be protected and using HTTPS.

You'll find documentation for most browsers here: http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

There is parameter includeSubDomains that allows you to cast HSTS on all your sub-domains.

Preloading

HSTS relying on a first HTTPS connection, severy browsers added a preloading database to automatically use HTTPS on the first connection.

Chrome/Chromium manages a list join-able upon request. This list is also used as a base for Firefox, Safari, IE 11, and Edge.

To join this list, it is necessary that your HSTS headers contain the value "preload".

HTTP Redirections

Complementing HSTS, that works client-side, you can deploy HTTP to HTTPS redirections on all your HTTPS sites. For instance, you can add a 301 redirection to signify that the client must always access a resource using HTTPS. As soon as the user will have accessed an HTTPS resource, the HSTS header will be read and obeyed by the client/browser that will apply it to the whole site.

For the case of websites using the "www" subdomain, it is important to correctly order your redirections:

If your certificate is valid with and without www, you can add the following redirections in that specific order:

  • http://domain.tld => https://domain.tld
  • http://www.domain.tld => https://www.domain.tld
  • https://domain.tld => https://www.domain.tld

That way, both the bare domain and the "www" will be protected by HSTS.

If your certificate only secure the "www", you must use the following redirections:

  • http://domain.tld => https://www.domain.tld
  • http://www.domain.tld => https://www.domain.tld

However, it is important to note that it is strongly recommended to also secure the bare domain, like in the first case.

Deploying

Apache

For Apache, you'll only have to indicate:

# charge the mod_headers.so module if it is not charged already
LoadModule headers_module modules/mod_headers.so


# enforce https connections for 180 days
Header always set Strict-Transport-Security "max-age=15552001; includeSubDomains;"

HTTP Redirections

To redirect your traffic from HTTP to HTTPS, add to your virtual host, the following instruction:

Redirect permanent /secure https://domain.tld

Nginx

For nginx, do:

# enforce https connections for 180 days
add_header Strict-Transport-Security "max-age=15552001; includeSubDomains;"

HTTP Redirections

To redirect your traffic from HTTP to HTTPS add to the HTTP server block, the following instruction:

return 301 https://$host$request_uri;

If your site both manages HTTP and HTTPs, you can add the following conditional block to your server block:

if ($scheme = http) { return 301 https://$server_name$request_uri; }

Lighthttpd

Add the following header:

setenv.add-response-header = (
"Strict-Transport-Security" => "max-age=63072000; includeSubdomains;"

HTTP Redirections

To redirect your HTTP to HTTPS traffic, you need to first have the redirect module enabled:

server.modules += ( "mod_redirect" )

Then configure your http socket:

$SERVER["socket"] == ":80" { $HTTP["host"] =~ "domain.tld" { url.redirect = ( "^/(.*)" => "https://domain.tld/$1" ) server.name = "domain.tld" } }

Microsoft IIS

You can consult our HSTS on IIS documentation.

Useful links