HTTP Strict Transport Security (HSTS) • Cheap Website Design Service

March 15, 2021

What is HTTP Strict Transport Security?

HTTP Strict Transport Security (HSTS) is a web security mechanism that protects websites against man-in-the-middle attacks and cookie hijacking. It allows web servers to automatically make web browsers use only secured HTTPS connections instead of unsecured HTTP connections. This prevents hackers from using HTTP and tricking your website visitors into thinking they are still communicating with your website. This also prevents hackers from stealing a session cookie over an HTTP connection.

Enable HSTS in Your Website

To enable HTTP Strict Transport Security in your WordPress website, you need to add the following code into your website child theme’s functions.php file. If you are not using a child theme, you may use Code Snippets plugin otherwise future theme updates will override your code.

Besides, you will need to preload HSTS by submitting your website on the HSTS preloading website. This form is used to submit domains for inclusion in Chrome’s HTTP Strict Transport Security (HSTS) preload list. Firefox, Opera, Safari, IE 11 and Edge also have HSTS preload lists based on the Chrome list.

To be accepted to the HSTS preload list, your website must satisfy the following requirements:

A valid TLS/SSL certificate
Redirect from HTTP to HTTPS
All subdomains over HTTPS
Use the following code in the HSTS header
- max-age=31536000
- includeSubDomains
- preload
- In case of additional redirects from your HTTPS site, those redirects must still have the HSTS header.

function tg_enable_strict_transport_security_hsts_header_wordpress() {
    header( 'Strict-Transport-Security: max-age= 31536000; includeSubDomains; preload' );
}
add_action( 'send_headers', 'tg_enable_strict_transport_security_hsts_header_wordpress' );

Once you add the code, you can check if HSTS is working on your website on SSL Server Test by Qualys by entering your website URL. It is a free online service analyzing the configuration of any SSL web server on the Internet. You will see the following in your result.

HTTP Strict Transport Security (HSTS) with long duration deployed on this server.
Strict Transport Security (HSTS): Yes max-age=31536000; includeSubDomains; preload
HSTS Preloading: Chrome

Summary

Good job! You have just enabled HSTS on your website. From now on, your website will be protected against man-in-the-middle attacks and cookie hijacking for enhanced website security.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Enable HTTP Strict Transport Security on Your Website

Table of Contents

Enable HTTP Strict Transport Security on Your Website

Table of Contents

What is HTTP Strict Transport Security?

Enable HSTS in Your Website

Summary

Further Reading

Related posts

Your Adobe Flash Website Will Be Dead

Who Is The Most Popular TLS Certificate Authority?

Only HTTPS Websites Are Secure

We Value Your Privacy.