HTTP Strict Transport Security (HSTS): Improve your HTTPS security and speed.

HTTP Strict Transport Security (HSTS) is a response header sent by a server to a user agent such as a browser telling it that it must only connect using HTTPS.

The Response Header will look something like this

Strict-Transport-Security: max-age=63072000

Security

One of the big reasons for using HSTS is that it can help protect your users from man-in-the-middle and ssl-strip attacks on your website. An attacker may redirect a user away from your website to a HTTP version of your website which may be carrying a malware or phishing payload. Because the browser has been told to only ever access the site using HTTPS this makes the attack vector much harder. The attacker would need to successfully spoof your SSL certificate. This is harder because the [Proceed to safety] option is removed.

servertastic ssl error

Speed Improvements

The ServerTastic website automatically forces users to redirect to HTTPS. We do this via 301 redirect. However this can still take 50–60ms. If you implement HSTS then the browser will perform the redirect instantly without contacting your server saving those 50–60ms

HTTP Strict Transport Security in action

How to implement

We have put together a few examples on our support pages of how to implement HSTS on your website.