Fixing security issues enables our websites to withstand security attacks via overlooked loopholes. Thus, if there is a list of things to do to keep our website secure and healthy, handling security issues should be top 3.
I recently stumbled on one of these security issues called “Missing HSTS Header” and fix it accordingly. And so, read on to learn more about why HSTS Header matters and how you can fix it yourself.
What is an HSTS header?
HSTS header is short for HTTP Strict-Transport-Security response header. What it does is that it tells the browser that your website should be accessed through HTTPS instead of HTTP.
With HSTS header in place, you are basically cutting off the initial access to your website via HTTP before it redirects to HTTPS as HSTS header instructs the browser to only load your site via HTTPS.
Why HSTS header matters?
Because HTTP is insecure, attackers who are capable can exploit the initial HTTP load of your website before it redirects to HTTPS. Thus, without HSTS header, you are essentially keeping a backdoor open for serious attackers.
How to check if your website is missing HSTS header?
I am a technical SEO and I use this very handy SEO tool called ScreamingFrog.
Basically a quick site scan with ScreamingFrog and then navigating to Security section will tell you a bunch of security issues your website is having including missing HSTS header.
Alternatively, you can use this online tool to check if HSTS header declaration is missing on your website. If you see max-age declaration right next to “strict-transport-security” then your website has HSTS header.
How to fix the missing HSTS header issue?
What you need to do to fix this missing HSTS header issue is to declare/add a line of code into your WP site’s .htaccess file. Just copy the first line of code below, paste it into your .htaccess file and save. In case you need help in locating your site’s .htaccess file, check out this guide on accessing your WordPress site’s .htaccess file.
Header Set Strict-Transport-Security: max-age=31536000;
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"Notes:
- The first line sets the HSTS header for your domain
- (Optional) The second line sets the HSTS header for all its subdomains and satisfies “preload” requirement
- 31536000 is the seconds equivalent to a year and the least value you can put in for max-age
Be careful not to delete any existing lines of codes in your .haccess file while you copy and paste above.
What’s the preload all about?
It’s a good thing you’re curious. Now, there is what we call “HSTS preloading” and what this definition does is that it serves as a requirement so you can get your domain included in a browser’s preload list.
What is HSTS preloading in browsers?
Browsers like Chrome, Firefox, Safari and many others do have this “preload list” where they have this hardcoded list of websites that, to them, are being HTTPS only.
So if you really only want to serve visitors that are coming via HTTPS, it is a good idea to have your domain included in this browser preload list and you can do that by including the second line above in your .htaccess file and submitting your intent for domain inclusion in the preload list via this tool.
Things you should know about HSTS preloading
Before you opt-in for HSTS preloading though, here are things you should consider:
- Opting out from the list can be a slow process
- It also means all subdomains should also be using HTTPS to be accessed
- You need to satisfy the HSTS preloading requirements. All listed here.
For me, I am all good with the first line for now as I have subdomains I used for staging website developments that don’t necessary require an SSL.
And by the way, after the fix above, my site no longer has the missing HSTS header error. Your turn to try!
Leave a Reply