This article describes how to set up a HSTS security policy at Pagely.
What Is HSTS?
HSTS (HTTP Strict Transport Security) is a web security policy that protects websites against protocol downgrade attacks and cookie hijacking. It adds a response header field named Strict-Transport-Security, and specifies a specific time during which the user agent should only access the server in a secure fashion.
For more information, visit the HSTS Wikipedia page.
Considerations
Should I Enable HSTS?
Enabling HSTS is a good security practice, but you should be careful to only enable HSTS after you've tested your sites and understand the risks involved.
Due to how some WordPress configurations and staging sites operate, HSTS can sometimes cause redirect loops or staging/development sites to become inaccessible. Therefore, HSTS should only be enabled after taking a thorough look through your site for issues that may arise.
If you have any questions about HSTS or if you should enable it on your site, we're happy to look into it for you. Just submit a support ticket with information on you're particular use-case. Our support team is happy to help.
What Should I Be Concerned About When Enabling HSTS?
Multiple Redirects
If a browser were to go from HTTP --> HTTPS --> HTTP -> HTTPS the site will not load in most cases, as the browser is trying to strictly adhere to the HSTS policy set in place.
Browser Support
While all modern browsers support this, older versions may have issues. Additionally, certain browsers recommend a specific length of time. In general, the longer the policy is put in place, the better.
How To Enable HSTS
While it's possible to enable HSTS via PHP, this is not the suggested Pagely method, and will likely cause issues.
If you need to enable HSTS, please contact support to have it enabled.