What is HSTS?

HSTS means HTTP Strict Transport Security, and makes browsers force your visitors over https. Why do you need this when you already have redirected your site to SSL?

HSTS is meant for situations when users are not actually visiting your site, but a site that is pretending to be your site, and therefore does not have an SSL certificate. So this fake site won’t have a redirect to SSL!

Let’s say a user is in a public place on wifi, and visits your site, But a hacker is on the network, and is directing the user to a fake site, It has the same domain, looks the same, but carries a virus. It doesn’t have an SSL certificate. The user will not suspect anything, and will be infected.

Enter HSTS

If you had enabled HSTS on your site however, and this user has visited your site before, the browser will remember it should go back to https. As the fake site does not have an SSL certificate, the user can’t visit the site, and will be safe.

Browsers will remember this setting for a year, so reverting back to http is difficult (which is by design of course). If you want to deactivate HSTS for your site, read this article how to clear it from your browser as well.

HSTS preload list

While HSTS is a good thing, there’s still the situation where the user has never visited your site before. In this case, the user could still request your site by http. To  prevent this, the preload list had been created. All sites that are accepted onto this list get preloaded in the browsers that support this. So if a user opens your site in his browser, the browser already knows it has to request it over SSL.

When this setting is enabled, you can submit your site to the preload list by clicking the “submit site” button.

But take care! Do not enter your site without knowing exactly what the consequences are.

  • Removing is difficult so only add it if you plan to stay on SSL
  • All subdomains will be forced over SSL as well. Even if they are on a different server. They’re in the preload list now!

Related Articles

  • How to clear HSTS from your browser

    If you enabled HSTS on your site, you’ll have to clear it from your browser after you disabled it again. Otherwise, your site willl keep loading over SSL. There are...
  • Inserting HSTS header using PHP

    HSTS Header insertion Really Simple SSL pro has the ability to set HSTS header for your website. In most cases this is done by inserting the HSTS header in the .htaccess...
  • My website does a double redirect to https, or not 301 redirect

    Some users ask for a fix for a double redirect. But Really Simple SSL does not do a double redirect! The plugin uses two ways to redirect: in the .htaccess...
  • Recommended .htaccess redirect option

    If you didn’t enable the .htaccess redirect in your site, you may see a new plus one, with a notice in your dashboard (since version 3.2) WordPress 301 redirect enabled....