Guides

Enabling HTTP Strict Transport Security (HSTS) on Your Website

This document provides step-by-step instructions for enabling HTTP Strict Transport Security (HSTS) on your Zesty-hosted website. HSTS significantly enhances your website's security by ensuring that browsers always connect via HTTPS.

Suggest Edits

Why Enable HSTS?

HSTS prevents attackers from downgrading your website's connection to HTTP, protecting your visitors from man-in-the-middle attacks and ensuring data confidentiality.

Implementation Steps:

1. Verify HTTPS is Enabled

  • Action: Confirm that your website is accessible via HTTPS (e.g., https://yourwebsite.com).
  • Requirement: Your website must have a valid SSL/TLS certificate installed. If you encounter certificate warnings or errors, please contact your certificate provider or Zesty support for assistance.
  • Important: HSTS requires an active and valid HTTPS connection.

2. Configure the HSTS Header in Zesty

  • Action: Within your Zesty platform, navigate to the "Security" settings of your website instance.
  • Add the following header:
    • Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
  • Header Breakdown:
    • max-age=31536000: This directive instructs browsers to enforce HTTPS for one year (31,536,000 seconds).
    • includeSubDomains: This extends the HSTS policy to all subdomains of your website (e.g., blog.yourwebsite.com).
    • preload: This allows your website to be considered for inclusion in browser HSTS preload lists, improving security for first-time visitors.

3. Test Your HSTS Configuration

  • Action: Before implementing the full year max-age, it is crucial to test your HSTS setup.
  • Methods:
    • Chrome DevTools: Open Chrome DevTools (press F12), go to the "Network" tab, and inspect the response headers when you visit your website. Look for the Strict-Transport-Security header.
    • Online Testers: Use online tools like hstspreload.org to validate your HSTS configuration.
  • Recommended Testing: Start with a short max-age value (e.g., max-age=3600 for one hour) to ensure the configuration works as expected. Gradually increase the max-age after successful testing.

4. Optional: Submit to HSTS Preload List

  • Action: If you wish to further enhance security for first-time visitors, you can submit your website to the HSTS preload list at hstspreload.org.
  • Benefits: Preloading ensures that browsers enforce HTTPS for your website on the very first visit, even before they receive the HSTS header.
  • Requirements: Your website must meet the preload list's requirements (e.g., valid certificate, includeSubDomains and preload directives).

Important Notes:

  • Ensure your SSL/TLS certificate remains valid for the duration specified in the max-age directive.
  • Thoroughly test your HSTS configuration before deploying it to a production environment.
  • If you have any questions or require further assistance, please contact Zesty support.

Updated about 1 month ago