Getting hacked sucks. You lose money, your customers lose trust in you, and it’s a pain to resolve all the issues. But good thing you’re smart and have already implemented some security protocols for your site.
You’ve implemented an SSL certificate, fixed your mixed content issues, and your site is now showing as HTTPS. You know that HTTP is outdated and will hurt your search rankings and conversions.
HTTPS is secure and you might be hoping that those are the only combinations of H, T, P and S you need to know.
But have you heard of HSTS headers? Most likely not, since it isn’t a topic that’s being talked about a lot, but it’s the last mile in a marathon that makes your site extra secure.
Implementing HSTS improves your site’s security, site speed, and SEO.
What Is HSTS?
First off, let’s get geeky and talk about the basics of how websites work. Your browser (the client) wants to access a website, so it asks the server (where the website is hosted) if it can access it. Then along with the file or webpage, the server sends back some information; information like the date, the size of the file, type of file, data about the server, restrictions, etc…
HSTS headers are simply just response headers from the server that tells browsers that it can only connect to a website using HTTPS. HSTS stands for “HTTP Strict Transport Protocol.”
Imagine a fork in the road, one way leads to a highway, the other leads you through a pirate-infested jungle only to find a sign that says go take the highway. A regular HTTPS redirect leads you through that second road. However, HSTS forces you to take the highway even if you asked to check out that other road.
How Does HSTS Improve Security?
In a nutshell, it prevents man-in-the-middle attacks from hackers. The most common HTTPS implementation is a 301 redirect, from a HTTP version of the site to a HTTPS version of the site.
Here’s what’s going on:
When you type in http://website.com, the server will call for the http version of that site. Because of the 301 redirects, the server will then redirect you to https://website.com instead.
This is where hackers take advantage. These few milliseconds that it takes to switch from HTTP to HTTPS is crucial as the site is extremely vulnerable. With this exposed window, hackers can implement a man-in-the-middle attack and block the site from using HTTPS.
Back to that analogy, while you are making your way from the sketchy road to the highway, this is where the pirates have their way with you, and even block your access to the highway.
As more sites are moving towards HTTPS, hackers are constantly finding new ways to break HTTPS, and the HTTP exploit is the most common.
HSTS prevents all of this from happening. HSTS forces sites to load over HTTPS, so even if you try loading the HTTP version of a website, the HTTP request gets ignored and gets read as an HTTPS request instead.
HSTS forces browsers to load the secure version of the site immediately and any attempt to load any non-encrypted version of the site gets blocked.
How Does HSTS Improve Site Speed?
Let’s go back to that road analogy. Your instinct is to always go through the jungle, so even if there’s an option to take the highway, you will always attempt to go through the jungle before running into the highway sign.
When you load a site using only HTTPS, it will try to call HTTP first before realizing the site supports HTTPS. Making the initial trip down the wrong path only adds time to your journey in the way attempting to call HTTP causes a delay in website load times.
A prerequisite of HSTS is that SSL must be present on the website, meaning HTTPS must exist; the highway must exist. How HSTS helps with speed is that it forces you to take the highway, making you not have to check the roads; It forces a site to load HTTPS without the need to call HTTP.
How Does HSTS Improve SEO?
Yes, it’s finally time we’re talking about SEO! How does HSTS affect SEO? Through collecting brownie points from Google. Implementing HSTS gives a positive impact to the factors Google is using to rank.
Security
Google values security. With all the trust issues going on lately with people’s data, Google does its best to keep an individual’s personal information safe. The safer a site is, the more Google will help rank it.
Google is not going to prioritizing a high risk website. Why? They’re *almost* liable for what happens to you if you visit a malicious website
Site Speed
Site speed plays a major factor when it comes to ranking websites because it correlates with a positive user experience. When a user visits your website and takes forever to load, will they wait for your site to load? No! This is the era of fast internet. If your site won’t fully load fast enough, your visitors are just going to nope out of your site.
As a result, your bounce rate goes up and Google will see that people aren’t happy with your site. Google likes keeping its users happy, so if your slow site makes Google traffic unhappy, your site will start losing its rankings.
Patience doesn’t exist online. Speed up your site, make people happy, and rank higher.
Installing HSTS on WordPress
Installing HSTS Manually
If you’re brave enough to touch your site’s code, copy this code into your theme’s functions.php file.
add_action( 'send_headers', 'tgm_io_strict_transport_security' );
/**
* Enables the HTTP Strict Transport Security (HSTS) header.
*
* @since 1.0.0
*/
function tgm_io_strict_transport_security() {
header( 'Strict-Transport-Security: max-age=10886400; includeSubDomains; preload' );
}Source: Thomas Griffin
Using a WordPress Plugin
Code looks intimidating, so if you don’t even want to touch your site’s code at all, there is a plugin called Really Simple SSL Pro where you can configure SSL with HSTS super easy with just one click. This plugin also runs tests to see if SSL is properly configured with HSTS. This plugin is free but however, to gain access to the HSTS option, you need the full version which costs $30.
Verifying HSTS is Installed
After you think you’ve enabled HSTS properly, you can visit https://hstspreload.org and https://securityheaders.com/ to verify that HSTS is running. You can also go to https://www.ssllabs.com/ssltest/ to check what your site’s security score is. It also can tell whether your site has HSTS enabled or not. Fun fact: our site is graded A+.
By the way, https://hstspreload.org isn’t only a site to check if HSTS is running, it adds your website to a “preload list”. What this does is your site will be hard-coded as an HTTPS-only site on browsers. So for example, you get a new computer and install Google Chrome on it, Chrome will already recognize your site as an HTTPS site.
There are requirements for preloading your domain however. Here they are:
- Serve a valid certificate
- Redirect HTTP to HTTPS on the same host
- All subdomains must be on HTTPS
- Serve HSTS header on the base domain (This is where you installed HSTS)
Implement HSTS Now
Implementing HSTS on your website only does good for it. You get a 3-in-1 benefit package by simply applying HSTS to your sites. It isn’t hard to do and doesn’t take a lot of time to do it and in an online world where personal data is crucial to keep private, it’s pretty much table stakes.
