Server enables HSTS protocol

HSTS (HTTP Strict Transport Security) The International Internet Engineering Organization IETF is promoting a new Web security protocol. Websites can choose to use the HSTS policy to force the browser to use HTTPS to communicate with the website to reduce the risk of session hijacking.

Websites that adopt the HSTS protocol will ensure that the browser always connects to the HTTPS encrypted version of the website, without requiring users to manually enter the encrypted address in the URL address bar. This protocol will help websites adopt global encryption so that users see a secure version of the website. The role of HSTS is to force clients (such as browsers) to use HTTPS to create connections with the server.

The way the server enables HSTS is to include the Strict-Transport-Security field in the Hypertext Transfer Protocol response header returned by the server when the client makes a request through HTTPS. The HSTS field set during non-encrypted transmission is invalid.

For example, the response header of https://www.williamlong.info contains Strict-Transport-Security: max-age=31536000; includeSubDomains. This means two things: In the next year (that is, 31536000 seconds), whenever the browser sends an HTTP request to www.williamlong.info or its subdomain name, it must use HTTPS to initiate the connection. For example, when a user clicks a hyperlink or enters an http URL in the address bar, the browser should automatically convert the http URL into an https URL.

For the nginx server, just add the Strict-Transport-Security HTTP header information.

add_header Strict-Transport-Security “max-age=31536000”;

But one thing to note is that the max-age time in Strict-Transport-Security cannot be less than 15552000.

For Windows server servers, open the web.config file in the website directory, add the url rewrite rules (boldfaced part) for https response in the corresponding location, and save it.

redirectType=”Permanent” />




pattern=”.*” />

After turning on HSTS, the service detection score of your SSL/TLS deployment may be A+ or above. At this time, you can join the HSTS Preload List.

HSTS preload list is the HSTS preload list in Chrome browser. Websites in this list will be automatically converted to HTTPS when accessed using Chrome browser. Firefox, Safari, and Edge browsers are also using this list.

Go to the hstspreload official website, enter your domain name, and the test results will tell you whether you are eligible to join the HSTS Preload List. If there is no problem, check the box to confirm.

Of course, after joining the HSTS Preload List, you may still need to wait 1-2 months. After the new versions of Chrome, Chromium, Firefox, IE, etc. are released, your domain name will be officially recognized and enforced by major browsers. Accessed using HTTPS.

Recommended site search: German server, domain name price, free domain name, overseas virtual host space, Korean cn2 server, reverse IP check, mainland China domain name, personal free space, virtual host Hong Kong host vps host,