Enabling HTTP Strict Transport Security (HSTS) on Your Website
This document provides step-by-step instructions for enabling HTTP Strict Transport Security (HSTS) on your Zesty-hosted website. HSTS significantly enhances your website's security by ensuring that browsers always connect via HTTPS.
Why Enable HSTS?
HSTS prevents attackers from downgrading your website's connection to HTTP, protecting your visitors from man-in-the-middle attacks and ensuring data confidentiality.
Implementation Steps:
1. Verify HTTPS is Enabled
- Action: Confirm that your website is accessible via HTTPS (e.g.,
https://yourwebsite.com
). - Requirement: Your website must have a valid SSL/TLS certificate installed. If you encounter certificate warnings or errors, please contact your certificate provider or Zesty support for assistance.
- Important: HSTS requires an active and valid HTTPS connection.
2. Configure the HSTS Header in Zesty
- Action: Within your Zesty platform, navigate to the "Security" settings of your website instance.
- Add the following header:
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
- Header Breakdown:
max-age=31536000
: This directive instructs browsers to enforce HTTPS for one year (31,536,000 seconds).includeSubDomains
: This extends the HSTS policy to all subdomains of your website (e.g.,blog.yourwebsite.com
).preload
: This allows your website to be considered for inclusion in browser HSTS preload lists, improving security for first-time visitors.
3. Test Your HSTS Configuration
- Action: Before implementing the full year
max-age
, it is crucial to test your HSTS setup. - Methods:
- Chrome DevTools: Open Chrome DevTools (press F12), go to the "Network" tab, and inspect the response headers when you visit your website. Look for the
Strict-Transport-Security
header. - Online Testers: Use online tools like
hstspreload.org
to validate your HSTS configuration.
- Chrome DevTools: Open Chrome DevTools (press F12), go to the "Network" tab, and inspect the response headers when you visit your website. Look for the
- Recommended Testing: Start with a short
max-age
value (e.g.,max-age=3600
for one hour) to ensure the configuration works as expected. Gradually increase themax-age
after successful testing.
4. Optional: Submit to HSTS Preload List
- Action: If you wish to further enhance security for first-time visitors, you can submit your website to the HSTS preload list at
hstspreload.org
. - Benefits: Preloading ensures that browsers enforce HTTPS for your website on the very first visit, even before they receive the HSTS header.
- Requirements: Your website must meet the preload list's requirements (e.g., valid certificate,
includeSubDomains
andpreload
directives).
Important Notes:
- Ensure your SSL/TLS certificate remains valid for the duration specified in the
max-age
directive. - Thoroughly test your HSTS configuration before deploying it to a production environment.
- If you have any questions or require further assistance, please contact Zesty support.
Updated 15 days ago