This article describes how to set up a HSTS security policy at Pagely.
What Is HSTS?
HSTS (HTTP Strict Transport Security) is a web security policy that protects websites against protocol downgrade attacks and cookie hijacking. It adds a response header field named Strict-Transport-Security, and specifies a specific time during which the user agent should only access the server in a secure fashion.
Should I Enable HSTS?
Generally, you should only enable HSTS if you have a specific reason for doing so. Due to the issues it can potentially cause, it can break some things on your site. Therefore, HSTS isn't recommended unless you have a specific use-case that requires it.
If you have any questions about HSTS or if you should enable it on your site, we're happy to look into it for you. Just submit a support ticket with information on you're particular use-case. Our support team is happy to help.
What Should I Be Concerned About When Enabling HSTS?
If a browser were to go from HTTP --> HTTPS --> HTTP -> HTTPS the site will not load in most cases, as the browser is trying to strictly adhere to the HSTS policy set in place.
While all modern browsers support this, older versions may have issues. Additionally, certain browsers recommend a specific length of time. In general, the longer the policy is put in place, the better.
How To Enable HSTS
While it's possible to enable HSTS via PHP, this is not the suggested Pagely method, and will likely cause issues.
If you need to enable HSTS, please contact support to have it enabled.