Estimated reading time: 3 minutes
Implementing website security correctly is critical including HTTP Strict Transport Security (HSTS). There are different ways to ensure website security for small business. Besides, you can enable the HSTS security header in your HTTPS website to protect your website from hackers.
What is HTTP Strict Transport Security?
HTTP Strict Transport Security (HSTS) is a web security mechanism that protects websites against man-in-the-middle attacks and cookie hijacking. It allows web servers to automatically make web browsers use only secured HTTPS connections instead of unsecured HTTP connections. This prevents hackers from using HTTP and tricking your website visitors into thinking they are still communicating with your website. This also prevents hackers from stealing a session cookie over an HTTP connection.
Enable HSTS in Your Website
To enable HTTP Strict Transport Security in your WordPress website, you need to add the following code into your website child theme’s functions.php file. If you are not using a child theme, you may use Code Snippets plugin otherwise future theme updates will override your code.
Besides, you will need to preload HSTS by submitting your website on the HSTS preloading website. This form is used to submit domains for inclusion in Chrome’s HTTP Strict Transport Security (HSTS) preload list. Firefox, Opera, Safari, IE 11 and Edge also have HSTS preload lists based on the Chrome list.
To be accepted to the HSTS preload list, your website must satisfy the following requirements:
- A valid TLS/SSL certificate
- Redirect from HTTP to HTTPS
- All subdomains over HTTPS
- Use the following code in the HSTS header
- max-age=31536000
- includeSubDomains
- preload
- In case of additional redirects from your HTTPS site, those redirects must still have the HSTS header.
function tg_enable_strict_transport_security_hsts_header_wordpress() {
header( 'Strict-Transport-Security: max-age= 31536000; includeSubDomains; preload' );
}
add_action( 'send_headers', 'tg_enable_strict_transport_security_hsts_header_wordpress' );
Once you add the code, you can check if HSTS is working on your website on SSL Server Test by Qualys by entering your website URL. It is a free online service analyzing the configuration of any SSL web server on the Internet. You will see the following in your result.
- HTTP Strict Transport Security (HSTS) with long duration deployed on this server.
- Strict Transport Security (HSTS): Yes max-age=31536000; includeSubDomains; preload
- HSTS Preloading: Chrome
Summary
Good job! You have just enabled HSTS on your website. From now on, your website will be protected against man-in-the-middle attacks and cookie hijacking for enhanced website security.
