HSTS
This article is a stub. You can help the IndieWeb wiki by expanding it with relevant information.
HSTS (HTTP Strict Transport Security) is a way for a website to indicate that it should only be accessed over HTTPS. It is a security mechanism that may be used on a personal site to prevent Manipulator in the Middle (MITM) attacks, however please note the important warning since it is difficult to undo.
It is an HTTP header that indicates to browsers how long the website should only be accessible over HTTPS for. Requests and links during that window (typically 6 months) are forcibly rewritten by the browser to be HTTPS, which prevents an attack where the initial connection is over HTTP and an attacker subsequently strips the Location header to use the website over HTTPS.
Warning
⚠️ You should only apply HSTS if you are confident your HTTPS implementation is solid and won't go away anytime soon. HSTS is difficult to get rid of once it's been applied.
IndieWeb Examples
This section is a stub. You can help the IndieWeb wiki by expanding it.
No known IndieWeb Examples.
- Add yourself here… (see this for more details)
Brainstorming
The below advice is only brainstorming, because whoever wrote it:
- did not sign their name
- did not add themselves as a real world IndieWeb Example
So be warned, no one knows if this advice works or not.
To apply HSTS, add the HTTP header "Strict-Transport-Security" into your web server with a value "max-age=15768000" (where max-age indicates how many seconds). The value 15768000 is for half a year, which is the recommended minimum.
You can also apply this to every subdomain like so:
Strict-Transport-Security: max-age=15768000; includeSubDomains
Finally, you can request to be on the "preload" list which is included into web browsers. You should only do this once you've tested with HSTS and it works well. It's difficult to get off this list because users would need to update their browsers!
Strict-Transport-Security: max-age=15768000; includeSubDomains; preload
Once you have the preload tag, simply add your domain to hstspreload.org to be enrolled into the program.
See Also
- Wikipedia:HTTP Strict Transport Security
- to-do: consider redirecting to the ^ Wikipedia page if no one steps up and adds an IndieWeb Example etc.
- HTTPS
- https://hstspreload.org/
- https://tools.ietf.org/html/rfc6797 (RFC6797 - HTTP Strict Transport Security (HSTS))
- https admin tax
- 2018-03-09 Facebook says “let me get that for you”, secures your links (auto-upgrades shared links from http: to https: using an HSTS preload list)
- https://webkit.org/blog/8146/protecting-against-hsts-abuse/
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Strict-Transport-Security