{"id":269,"date":"2018-11-10T14:10:36","date_gmt":"2018-11-10T14:10:36","guid":{"rendered":"https:\/\/int64software.com\/blog\/?p=269"},"modified":"2019-01-03T09:39:39","modified_gmt":"2019-01-03T09:39:39","slug":"hardening-website-security-part-1a-hsts-preloading","status":"publish","type":"post","link":"https:\/\/int64software.com\/blog\/2018\/11\/10\/hardening-website-security-part-1a-hsts-preloading\/","title":{"rendered":"Hardening Website Security \u2013 Part 1a: HSTS Preloading"},"content":{"rendered":"\n

In part 1<\/a> of this series of articles we described the HSTS header \u201cStrict-Transport-Security<\/em>\u201d. This header is used to tell the clients web browser that HTTP Strict Transport Security mode should be enabled so that the browser should remember that this website only uses HTTPS and should not accept any unencrypted traffic. In this article we’re going to take this a step further an look at HSTS Preloading.<\/p>\n\n\n\n

\"OverLAPS<\/a><\/figure>\n\n\n\n

HSTS Preloading<\/h2>\n\n\n\n

As an addition to this, Google compile a list of HSTS enabled websites which is made available to (or more specifically compiled into) Chrome, Firefox and Safari so that they don\u2019t even have to query the website in question for its headers, it knows to enforce HTTPS right away.<\/p>\n\n\n\n

By doing this, attackers can no longer intercept and modify\nheaders sent over unencrypted HTTP to block the elevation to HTTPS, and thereby\ncarry out further Man-in-the-Middle (MITM) attacks.<\/p>\n\n\n\n

In order to enable HSTS Preloading you must sign up to be included on the list.<\/p>\n\n\n\n

How to Register<\/h2>\n\n\n\n

Requirements<\/h3>\n\n\n\n

First, in order to confirm that you are the owner of the\nwebsite in question, and that you definitely want preloading to be enabled, you\nhave to modify your \u201cStrict-Transport-Security\u201d header.<\/p>\n\n\n\n

Where previously it read (optionally with or without the “includeSubDomains” directive):
<\/p>\n\n\n\n

Strict-Transport-Security \u201cmax-age=31536000; includeSubDomains\u201d<\/code><\/pre>\n\n\n\n
You must also add the \u201cpreload\u201d option so that it is now:
<\/p>\n\n\n\n
Strict-Transport-Security \u201cmax-age=31536000; includeSubDomains; preload\u201d<\/code><\/pre>\n\n\n\n
If you have unencrypted HTTP enabled, it must be set to\nredirect with either an HTTP response code of either 301 (Moved Permanently) or\n302 (Found \u2013 previously Moved Temporarily) to the secure HTTPS site on the same host<\/strong>.<\/p>\n\n\n\n
All subdomains must also have a valid HTTPS certificate (including \u201cwww.<\/em>\u201d if you have a DNS record for it).<\/p>\n\n\n\n
Registration<\/h3>\n\n\n\n
Now that you\u2019ve fulfilled the requirements, you can submit your site to the HSTS Preloading list by visiting the following website: https:\/\/hstspreload.org\/<\/a>
<\/p>\n\n\n\n
Once that\u2019s done, you just need to wait. You can submit your\nsite to that website again to check on the status of your request.<\/p>\n","protected":false},"excerpt":{"rendered":"
In part 1 of this series of articles we described the HSTS header \u201cStrict-Transport-Security\u201d. This header is used to tell the clients web browser that HTTP Strict Transport Security mode should be enabled so that the browser should remember that this website only uses HTTPS and should not accept any unencrypted traffic.<\/p>\n","protected":false},"author":1,"featured_media":271,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_crdt_document":"","footnotes":""},"categories":[50,7],"tags":[63,64,67,9,65,66,68],"class_list":["post-269","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","category-tutorial","tag-hsts","tag-https","tag-preload","tag-security","tag-ssl","tag-tls","tag-webdev"],"_links":{"self":[{"href":"https:\/\/int64software.com\/blog\/wp-json\/wp\/v2\/posts\/269","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/int64software.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/int64software.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/int64software.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/int64software.com\/blog\/wp-json\/wp\/v2\/comments?post=269"}],"version-history":[{"count":5,"href":"https:\/\/int64software.com\/blog\/wp-json\/wp\/v2\/posts\/269\/revisions"}],"predecessor-version":[{"id":435,"href":"https:\/\/int64software.com\/blog\/wp-json\/wp\/v2\/posts\/269\/revisions\/435"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/int64software.com\/blog\/wp-json\/wp\/v2\/media\/271"}],"wp:attachment":[{"href":"https:\/\/int64software.com\/blog\/wp-json\/wp\/v2\/media?parent=269"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/int64software.com\/blog\/wp-json\/wp\/v2\/categories?post=269"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/int64software.com\/blog\/wp-json\/wp\/v2\/tags?post=269"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}