Secure HTTP to HTTPS migration using HSTS: A complete guide

Secure connection protocols have now become that crucial to any website that not being equipped with them puts you on the verge of losing your website visitors. This fact makes the transition over to HTTPS a necessity, especially for websites with critical financial transactions and information.
There are different paths to take to migrate from HTTP to HTTPS, but currently, none of them is as fast and secure as the HTTP Strict Transport Security mechanism. Commonly known as HSTS, This security protocol is an enhancement that significantly reduces the chance of man in the middle (MITM) attacks in the process of HTTP to HTTPS redirection. ArvanCloud supports HSTS protocol to provide a secure and fast transition of HTTP websites and links to HTTPS.
In this user guide from ArvanCloud, we will have a thorough look at the HSTS protocol.

What is HTTP Strict Transport Security Protocol?

As most of the website visitors use the HTTP version of the websites, an unsecured connection seems to be an inevitable threat. Automatically redirection of HTTP pages to HTTPS is the sole solution to improve the security level of each website visit.
Widely known as its abbreviation, HSTS protocol is a set of policies that forces user agents and browsers to communicate over HTTPS instead of HTTP. Deploying this webserver directive on a website prevents hackers from any eavesdropping efforts, making the communication secured against different kinds of attacks, especially MITM ones.
Introduced as RFC 6797 uses a header called Strict Transport Security Header installed on the website to inform the visitor that HSTS policy is being run.

What does a browser do when HSTS is deployed on a website?

As the visitor sends the first request, the web server will respond with a header containing HSTS policy details. This header can look like this:

Strict-Transport-Security: max-age=2628000; includeSubDomains;

The header above provides some information. It says that the domain and all its subdomains can only be reached via HTTPS protocols for the next 2,628,000 seconds (1 month).
Encountering this response, the browser will:

  • Automatically replace all the HTTP links with HTTPS ones in case a secured path to the destination is guaranteed.
  • Prevent the access and show an error, if unable to ensure a secured path to the destination

Security benefits of HSTS protocol

By deploying the HSTS protocol, your website will be significantly safer against a wide variety of threats, including:

  • MITM attacks occurred due to the use of HTTP protocol by the visitor or the browser
  • HTTPS websites including sone HTTP links
  • MITM attacks caused by accepting invalid certificates by the visitors

Google preload list

You have the option to submit your website to be preloaded as HTTPS in browsers. This is a solution offered by Google as a part of the Chromium project.
It will provide a secure connection for the users who are visiting a website for the first time. The browser will look up the website’s name in its hardcoded list of the websites requested to be communicated only using HTTPS, and if it finds the website on the list, it will do so.
For your website to be included in the list, you need to make sure it meets these requirements:

  • Being equipped with a valid certificate
  • All the HTTP traffic being transferred to HTTPS
  • All subdomains being accessible only through HTTPS
  • A proper header being sent for the user settings

ArvanCloud will take care of all the technical requirements mentioned above when you entered your domain name in the Google preload list.
This list is currently being used by Google Chrome, Mozilla Firefox, Opera, and Safari, and Internet Explorer browsers.

Please note that it is difficult to remove your website from the preload list once it is included.
Web browsers supporting HSTS
Users with the following browsers will receive the HSTS header, as they support HSTS protocol:

  • ٖGoogle Chrome, version and higher
  • Firefox, version 4 and higher
  • Internet Explorer and Microsoft Edge, since the release of Windows 10
  • Opera, version 12 and higher
  • Safari, since the release of OS X Mavericks