Installing an HTTPS certificate is the first step in securing a website, but it is not enough for complete security. Attackers can intercept the user's transition to HTTPS and return the connection to HTTP, stealing data. This attack is called SSL stripping and to protect against it HSTS (HTTP Strict Transport Security) technology was created. In this article we examine in detail how to properly configure HSTS and the process of joining the preload list.
How HSTS technology works
HSTS is a special HTTP header sent by the server to the browser, giving the command "from now on always open this domain only via HTTPS". After receiving this command, the browser does not send any HTTP requests to this domain during the time specified in the max-age parameter. Even if the user manually enters an address with http://, the browser automatically converts it to HTTPS. This makes a downgrade attack impossible.
Configuring the HSTS header
To enable HSTS on the server, the following header must be added: Strict-Transport-Security: max-age=63072000; includeSubDomains; preload. Here max-age equals 2 years in seconds, includeSubDomains applies the rule to all subdomains, and preload grants permission for the preload list. In Apache this is configured in .htaccess or virtual host configuration, in Nginx in the server block.
What is the preload list
HSTS has one drawback — a user visiting a site for the first time has not yet received the HSTS header and during this first connection may be subjected to attack. To solve this problem Google created the preload list. All domains from this list are hardcoded into the browser code and the browser never sends HTTP requests to these domains, even on first visit.
Process of joining the preload list
You can check your domain at hstspreload.org and submit an application. Requirements are strict: HTTPS on all subdomains, HSTS header with max-age of at least 31536000 (1 year), mandatory includeSubDomains and preload flags. After approval the domain is added to Chrome, Firefox, Safari, Edge and Opera in the next version update. This process usually takes 6-12 weeks.
Sayt.uz practice
18% of Sayt.uz clients have HSTS enabled, of which 6% are in the preload list. We recommend enabling HSTS on every site but advise joining preload only for stable projects. HSTS setup service costs 60,000 UZS one-time, preload application preparation 150,000 UZS. 99.4% of our clients are fully protected from certificate-related attacks after enabling HSTS.