SSL

HSTS: HTTP Strict Transport Security, and why it’s good to have it

HSTS, or HTTP Strict Transport security is an option in Really Simple SSL pro, and I guess most people just activate it, just because you can. But it’s good to know why you need it.

When you have an SSL certificate on your domain, anyone can still use your site over http. The simplest solution is to add a redirect. That’s one of the features of Really Simple SSL: it adds a redirect to your site that forces it over SSL. But what if someone pretends to be your site: this can happen anywhere, and is simple to achieve: a user types in domain.com, but malicious software directs the request to a site pretending to be domain.com. Now the user is open to attacks.

HSTS: prevent http requests to your domain

That’s where HSTS, or HTTP Strict Transport security comes in. When this header is set on your domain, a browser will do all requests to your site over https from then on. So in the case where a hacker is redirecting this user to a fake domain.com, the browser remembers to use SSL because of the HSTS, so requests the secure site. But this doesn’t exist: no SSL certificate was authorized for this hacker’s fake site. As the browser needs to visit your site first to see this header, this will be active only after the first visit. To enable this feature, you can just enable the setting in settings/ssl (pro only).

HSTS preload list: preventing http requests on the first visit as well

As HSTS is only enforced after the browser visits your site, this is a vulnerability: if the user hasn’t visited your site before, HSTS won’t be set, so the visitor can still request the site over http. There is a solution for this: the HSTS preload list. This is a list of HSTS domains, that is preloaded in browsers. If you’re on the list, the browser will know that it should only load your site over https, even before it ever requests your site.

But be carefull with this feature: all subdomains (like sub.domain.com) will be forced over https as well, and removal from the preload list is very difficult, and might not propagate very fast. So even if you’re removed, browsers might have your site in the list for months yet.

With a few tweaks, you can configure your site for the preload list (this option will appear when HSTS is enabled).

Related Articles

  • Really Simple SSL 2.5.21 ready for betatesting

    Today 2.5.21 was released for beta testing on https://github.com/rlankhorst/really-simple-ssl. We welcome any input on this new release! This release is already extensively tested without any issues, but we love to get...
  • Really Simple SSL 3.2

    ** Edit ** Some users were having issues after the update. Two bugs were fixed immediately and released, in 3.2.1 and 3.2.2. Sorry for the inconvenience caused!  When users had...
  • Really Simple SSL and GDPR

    As a consequence of the upcoming new privacy regulations, the GDPR, some users have been asking if Really Simple SSL is compliant, or if the plugin or add-ons do any...
  • Really Simple SSL and Gutenberg

    Gutenberg In the WordPress community a lot is being said about the upcoming release, which includes the new Gutenberg editor. Not all of it very enthusiastic. It is understandable, because...