How to fix missing HSTS from HTTPS server?
If your HTTPS server doesn’t include the HSTS response header and command in its HTTP responses that’s a problem. With HSTS (HTTP Strict Transport Security), users can experience a safe and private browsing session on your website. Without HSTS users will face online privacy and security risks.
To protect online visitors, websites often redirect them from HTTP to HTTPS.
But it’s possible for a user to inadvertently use an HTTP link when copying and pasting or typing the URL. And they may not realize HTTP URLs are vulnerable to threats like Man-in-the-Middle (MITM) assaults and Secure Sockets Layer (SSL) Stripping. Using MITM, hackers can steal sensitive information from unsuspecting users by sending them to a fake version of a legitimate website.
HSTS stops these malicious intrusions and data theft by hackers. If your website is missing HSTS it’s time to fix the issue and improve safety all around.
Risks linked to missing HSTS from the HTTP server
HSTS warning and detection errors are crucial for website safety and search engine optimization. But if the HSTS is missing from the HTTPS server you won’t be alerted about the problems below:
Man-in-he-Middle (MITM)
It is possible to conduct a man-in-the-middle attack by taking advantage of the HSTS being missing from the HTTPS server. A hacker can steal sensitive information by diverting visitors from an HTTP URL to a fake version of the original site where their information is captured.
Cookie Hijacking
During a user’s session on a website without HSTS, cookies are vulnerable to theft via an unsecured HTTP connection. Not only that, but a cookie can store sensitive information like a user’s password or login name.
How to fix missing HSTS from the HTTPS server?
The HSTS response header is a must for every website that does a permanent HTTP to HTTPS redirect. It helps prevent missing HSTS error vulnerabilities so there are a few less security risks to worry about. And fortunately, using HSTS is a lot easier than trying to fix problems that come with missing HSTS from an HTTPS server.
Here are five simple steps you should take to resolve the HSTS being missing from the HTTP server:
Step 1 – Create a full backup before adding the HTTP Transport Security Header
A website’s web server configuration must be modified to enable HSTS and HTTP Strict Transport Security. As a result, you should always make a backup of your website’s files just in case something goes wrong when switching web servers. You can utilize either weekly automated backups or manual backups on the server. It is feasible to enable HSTS and create a full backup of your website with the help of cPanel or another web hosting configuration tool.
Step 2 – Use the 301 Status Code Redirect from HTTP to HTTPS
HSTS requires both an HTTPS connection and an SSL Certificate. If an organization’s website doesn’t have a valid SSL Certificate, users can’t access it with HSTS. So, utilize the following code block on WordPress sites to force all HTTP connections to use HTTPS and HSTS.
Code:
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301,NE]
Header always set Strict-Transport-Security max-age=31536000
Step 3 – Add the HSTS header to the server to force the website to use HTTPS
For WordPress and other Apache web servers that use a “.htaccess” file, the code block below will fix the missing HSTS.
Code: Header always set Strict-Transport-Security max-age=31536000
Step 4 – Include the website in Google’s HSTS Preload List
Adding the website to the HSTS Preload List is highly recommended because it protects websites utilizing HSTS for the first time. To make a website’s HTTP Strict Transport Security (HSTS) active, a web browser needs to make at least one request to the website.
Step 5 – Audit and validate the HSTS header from the website
Use an SEO Crawler that accesses the response headers of the website in a web browser like Google Chrome to validate and audit the HSTS header from the website. Here is an example of the HSTS header audit for a website.
That’s it. In five relatively easy steps your website will be much more secure and safe for every user.
If you’re looking for SEO project management software to better manage your workflow, clients, and business – evisio.co is your solution. Try evisio.co for free here!