HTTP Strict Transport Security

HTTP Strict Transport Security (HSTS) is a server setting that enforces a secure HTTPS connection.

Why HSTS?

After installing an SSL certificate, a website can be reached through an HTTPS connection. This way, data is transmitted encrypted so that it can not be intercepted. However, the use of HTTPS isn't sufficient. You also want to force the use of HTTPS, even if a visitor uses and HTTP-address.

How does HSTS work?

When using HSTS the browser will check whether a secure connection via HTTPS to the visited webpage is made. If this is not the case, visitors are automatically redirected from http to https, and thus to the secure version of the website. If no secure connection is available, the visitor will see an error message, and the browser rejects the connection. Using HSTS can prevent 'man in the middle' attacks, because this way a website can not be redirected to an unsecured page.

In order to use HSTS all unsecured connections are first redirected to a secure connection, then the browser is instructed by means of a HSTS header to only connect to the domain in question via HTTPS from now on. In the header it is immediately indicated how long the instruction must be saved by means of a 'max-age' setting. The IncludeSubdomains setting makes the HSTS header active for all subdomains of the visited domain.

HSTS Preloading

When visiting a website for the first time, the browser will attempt to connect via HTTP. This is caused by the browser not knowing if the website is HSTS enabled. This connection is prone to a 'man in the middle' attack. If the browser supports shipping a "pre-load" HSTS list, browsers will automatically establish an HTTPS connection. To include your website in the preloaded HSTS list, you can submit a request here. The entire preload list is publicly readable via Chromium.

Support

Browser Support from version
Internet Explorer 11 on Windows 7 if update KB 3058515 is installed
Microsoft Edge Windows 10
Opera 12
Firefox 4, preload list included since Firefox 17
Safari OS X Mavericks
Chrome/Chromium

4.0.211.0

Blackberry browser and Webview Blackberry OS 10.3.3


Configure HSTS

The configuration of HSTS differs per webserver:

SSLCheck

Our SSLCheck will examine your website's root and intermediate certificates for correctness and report any potential issues