Enable HSTS (HTTP Strict Transport Security) at LuxSci

April 27th, 2015

HSTS (HTTP Strict Transport Security) protects your secure web site against “security downgrade attacks”.  E.g. it stops people from accessing insecure versions of your site or pages when secure versions are available.  This, in turn, helps prevent man-in-the-middle and other types of attacks on people using your web site.  HSTS is a very simple and very powerful tool that you can use to lock down the web site security provided by your SSL certificate.

LuxSci web hosting customers with SSL can now enable HSTS for their sites by simply checking the HSTS box in their web site configuration area. 

What are the benefits of HTTP Strict Transport Security?

They are many. HSTS can

  1. Prevent people who have visited your secure site from going to insecure links to your site (these links are automatically converted to secure links).
  2. Be pre-loaded into browsers so that they will always access your site securely, even if they have never visited your site before.  See: HSTS preload submissions.
  3. Provide zero-tolerance for SSL certificate issues.  If there seems to be a problem with your SSL certificate, then browsers will NOT LET users click through to the site anyway.  This is great as usually these issues indicate some kind of man-in-the-middle attack on the user.

There are some additional benefits:

  1. Mixed-content.  If you have links to insecure objects (in your domain) from your secure pages, HSTS will automatically upgrade all of these links to secure links.
  2. Cookies.  If you forget to set your web cookies with the “Secure” flag, HSTS protects them from going out “in the clear”.
  3. Better than a redirect.  If someone uses a bookmark or a link to your insecure page, HSTS automatically converts it to a secure link.  So, the user goes directly to the secure page without need to be first “redirected”.  This is both faster and more secure.

LuxSci highly recommends that anyone with an SSL-enabled site that they plan to always use SSL on (and who doesn’t these days) should also enable HSTS.