HSTS: Achieve SSL Labs A+ Grade with FastComet

Ensuring security is set up correctly for your website is very important, especially when it comes to protecting yourself from hackers. The rapid development of new technologies, strict compliance standards, and evolving threats from hackers make it essential to keep your business’ security tools up-to-date and as strong as possible.

FastComet is proud to provide its customers with the most state-of-the-art online security solutions available. It’s our responsibility to make sure all our customers are well-protected and secure at every level. HSTS (HTTP Strict Transport Security) is yet another brick in the firewall of defense against fraud. It makes your SSL implementation more secure by closing a couple of key attack vectors. Best of all, we have ensured its setup is quick, easy and free.

Why HTTPS Matter?

You should already know that HTTPS is now a requirement for any websites. Beginning in July 2018 with the release of Chrome 68, Chrome browser will mark all HTTP sites as “not secure” and prominently highlight this in its URL bar which will quickly scare away visitors. And yes, we did say “all.” The urge to get rid of unsecured navigation has never been stronger: each release of Google Chrome or Mozilla Firefox comes with a new warning sign for users sharing private data. Even if you don’t care that much about your own website security, Google does. HTTPS is a small ranking factor in Google in organic web search algorithms and is categorized as a ‘site quality’ score along with many other factors such as page speed and mobile responsiveness. There are numerous different enhancements and best security practices you can implement to ensure that your site is locked down.

But padlocking your website is still not enough to automatically redirect all your HTTP traffic to the HTTPS secured version as people will eventually find a way to reach your website over HTTP://. This is why one of the enhancements we recommend implementing is the HTTP Strict Transport Security over HTTPS. Doing so helps prevent SSL protocol attacks, SSL stripping, cookie hijacking, and other attempts to circumvent SSL protection. And the best part is that you greatly improve your overall SSL rating with FastComet.

What is HSTS?

HTTP Strict Transport Security (commonly referred to as HSTS) is an opt-in browser security mechanism that lets website owners declare “Encrypted Communications Only”. The Strict-Transport-Security HTTP header instructs browsers to only interact with the domain over secure HTTPS protocol (SSL/TLS) for a set period of time (the max-age header which we are adding in the .htaccess file while enabling HSTS). HSTS only goes into effect after a browser receives a valid header from the domain. The goal of HSTS is to ensure unencrypted communication between the client and the browser, is not allowed on your site and to mitigate attacks such as Man-in-the-Middle (MITM) which might attempt to keep you on HTTP.

But why do you need this when you already have redirected your site to SSL? Obtaining an SSL Certificate will never be enough. Although websites may have implemented SSL certificate through SSL technology like Let’s Encrypt, more often than not the web browsers use HTTP first and then make the switch to HTTPS, even for websites which support this security protocol. Therefore this dangerous gap – before the switch is made – leaves the connection exposed to hackers. HSTS technology can help eliminate this dangerous gap.

Although our systems prefer the HTTPS version by default, you can also make this clearer for other search engines by redirecting your HTTP site to your HTTPS version and by implementing the HSTS header on your server. Zineb Ait Bahajji, Google Security Team

HSTS is not a replacement for HTTPS. HSTS is meant for situations when users are not actually visiting your site, but a site that is pretending to be your site, and therefore does not have an SSL certificate. So this fake site won’t have a redirect to SSL!

Enabling HSTS

When HSTS is enabled for a site, web browsers automatically change any insecure requests (HTTP://) to secure requests (https://). All you need to do to enable HSTS is add a header to your site’s .htaccess file. Web browsers recognize this header, and then take care of the rest without any further intervention on your part. Follow our step by step tutorial on How to enable HSTS.

How to Enable Browser Pre-recognition of HSTS?

There’s something called HSTS preload list – which is nothing but a list of HSTS enabled websites – that is automatically stored in the browsers. Google officially compiles this list and it is utilized by Chrome, Firefox, Opera, Safari, IE11, and Edge. Submit your site to the official HSTS preload list. Equipped with this HSTS preload list, the browser when accessing a website will check whether the website it’s trying to access figures on this list, and if it does, the browser will automatically start using the secure HTTPS connection.

However, in order to be eligible for the HSTS preload list through this form, your site must satisfy the following set of requirements:

• Serve a valid SSL/TLS certificate.
• Redirect all traffic from HTTP to HTTPS.
• Serve all subdomains over HTTPS, specifically including the www subdomain if it exists.
• Serve an HSTS header on the base domain for HTTPS requests:
• The max-age must be at least 31536000 seconds (1 year).

The preload directive is non-standard, but important since once this is all up and running you want to submit your domain for HSTS preloading. It should be noted though that inclusion in the preload list cannot easily be undone. Don’t request inclusion unless you’re sure that you can support HTTPS for your entire site and all its subdomains in the long term.

Passing SSL Check with an A+ Grade

There are many SSL checkers out there which are used to check the validity and installation of a websites SSL Certificate. If you are not too sure how secure your website is, try testing it here:

SSL Labs by Qualys is one of the most popular SSL testing tools to check all latest vulnerability & misconfiguration, and we use it on a daily basis. It will fully analyze your SSL configuration and give you a score (anywhere from an A to an F) and a full report. Quite often it will come back with a score of ‘A’… which sounds pretty good but you are still potentially exposed to a Man In The Middle (MITM) attack against the server, decrypting previously captured data, or in the case of client-initiated SSL renegotiation, cause a denial of service against the server.

SSL configurations are considered insecure if a server supports one or more of the following:

• Connections without Strict-Transport-Security set
• Connections with forwarding secrecy disabled

Not happy with your ‘A’ now? Read on how to hit that A+ and keep your website happy.

Just to make sure our SSLs are in top-notch, we recently made available HSTS on all our Shared Web Hosting packages. To implement HSTS for your website, you must have a valid SSL Certificate. If you employ subdomains in your content structure, you will need a Wildcard Certificate to cover HTTPS only. Alternatively, you’re pretty safe with a Domain Validated, Organization Validated or Extended Validation SSL Certificate. Make sure you have these installed and working correctly. Just a quick reminder that we fully support Let’s Encrypt Wildcard certificates. Using the Free Lets’ Encrypt Wildcard certificate makes the setup and maintenance of websites with subdomains much easier, as they can now be encrypted with a single certificate. We’re proud to be among the first hosting companies to launch this option.

Having HSTS enabled for your website, web browsers automatically change any insecure requests (HTTP://) to secure requests (https://). Web browsers recognize this header, and then take care of the rest without any further intervention on your part. Not only does HTTP Strict Transport Security (HSTS) help you get an A+ SSL rating from SSL Labs, it will help protect your website against two primary types of man-in-the-middle attacks (MitM): protocol downgrade attacks and cookie hijacking. To see if your SSL certificate is working properly, head over to SSL Labs, fill in your domain name and see what kind of score you get.

Defaults matter and most people will stick with them. HSTS is important, and HTTPS is kind of incomplete without it. As we’re serious about HTTPS Everywhere then we need to be just as serious about enabling HSTS as we are about making sure everyone is serving content over HTTPS. Finding a way to encourage its use whenever possible would go a long way towards boosting security on the web as well as adhere to one of the primary principles of the Let’s Encrypt initiative we fully support.