What is HSTS?

Learn what HSTS is to ensure secure connections.

HSTS (Strict Transport Security)

HSTS (HTTP Strict Transport Security) is a security instruction that allows websites to direct browsers to communicate exclusively through HTTPS, thus ensuring an encrypted and secure connection. This helps protect users from sensitive data interception and cyber attack by preventing “cookie Hijacking” and “MitM”.

Copy to Clipboard

Max-age: this value is mandatory and specifies the number of seconds for which the server should be contacted exclusively via HTTPS.

IncludeSubDomains: This is an optional field. If set, specifies that the HSTS policy should also be applied to any subdomains.

Using the string, every connection to the site (including subdomains) should be exclusively via HTTPS. In our case this directive for “31536000 seconds”

HTTP connections will no longer be allowed, so that if the browser receives a request to load a resource via HTTP, it will automatically have to attempt to propose a request via HTTPS.

In case HTTPS is not available, the connection will have to be broken.

HSTS and preloading

The HSTS max-age value (see code above) is updated whenever the browser reads the header, and its maximum value is two years; this scenario translates that protection in browsing will be permanent as long as no more than two years pass between visits.

A “HSTS pre-loading” can be used to increase website protection. Chromium maintains a database with the list of sites using HSTS, and this list will be distributed with the browsers. In this case, the browser will first check this preloaded list and then will not allow connections via Http, even during the first connection request.

Copy to Clipboard

HSTS Preload is used by Firefox, Opera, Safari and Edge. To also include your website you can use the following link: https://hstspreload.org/.

In order to be included in this list you will have to meet the following requirements:

  1. Valid SSL/TLS certificate .
  2. Redirect all traffic to HTTPS.
  3. Serve HSTS on the core domain (formerly“screamingfrog.club.”).
  4. Manage all s epresent subdomains over HTTPS.
  5. The deadline set must not be less than 1 year (31536000 seconds)
  6. The“includeSubdomains” directive must be specified.
  7. The token directive“preload” must be specified.

HSTS benefits

Because the rewriting from HTTP to HTTPS occurs internally on the client, there are several key advantages over using a simple HTTP-to-> HTTPS site-wide redirection.

  • Reduced communication over insecure protocols.
  • Improved performance by avoiding a round trip every time an HTTP link is encountered.
  • Reducing the load on the web server. However, HTTP -> HTTPS redirection is still required throughout the site. Since the Strict-Transport-Security header is ignored unless sent via HTTPS. So, if the first visit to your site is not via HTTPS, you still need that initial redirection to HTTPS to provide the Strict-Transport-Security header unless the site, as mentioned earlier, is included with the “Preload.”

Verify HSTS

Once the HSTS directive is added, it is critical to check for its presence.

An initial monitoring method used by developers is to use“Google Chrome Devtools” and check for the presence of the instruction in the “network” tab, but this scenario should be repeated for each individual page to verify that there are no inconsistencies and the directive responds correctly on each page.

The second is the one that includes Screaming Frog which, in a few seconds allows me to check for HSTS effortlessly. The results of the scan are available to you in the“Security” tab of Seo Spider.

Related Tab: Security Tab | Sidebar

Seo Spider Tab