Auto replace links to HTTPS - how to enable or disable HSTS, preload option

29.11.18 IT / Safety 12344

After the general introduction of the HTTPS protocol, it became necessary in some way to redirect site visitors to open pages through this protocol. This can usually be done with rules in the .htaccess file at the root of the site. However, since HTPPS has become extremely popular and is used everywhere today, there should have been a convenient way to automatically replace links on a site with HTTPS without writing unnecessary rules.

What is HSTS

There is such a method - this technology is called HSTS (HTTP Strict Transport Security). What is HSTS ? This option, which enables a forced secure HTTPS connection, is recommended for increased security. In other words, the browser will open all requests on your site via HTTPS, even if the links are written with HTTP.

Using HSTS eliminates the need to manually edit links with HTTP, but this only applies to the current domain, and links can also be placed to third-party domains. Still, it is better not to rely only on automatic replacement of links to HTTPS, but to additionally correct all links on the site in relative or absolute addresses with an explicit indication of the protocol.

How to enable HSTS

This became possible due to the appearance of a new heading, you can use any of the three recording options:

  Strict-Transport-Security: max-age = & lt; expire-time>
Strict-Transport-Security: max-age = & lt; expire-time>; includeSubDomains
Strict-Transport-Security: max-age = & lt; expire-time>; preload  

It is necessary to send headers to the browser using PHP, another language, using entries in the .htaccess file , etc. And the easiest way to enable HSTS is to tick in hosting settings next to HSTS.

The first option for a post just sends a title, just specify the time it will be valid. The second option tells the browser that the rule applies to all subdomains as well. The last third option is unofficial, but people often ask what HSTS preload means.

HSTS preload

What is HSTS preload ? This is an option to use preload lists. Such lists are compiled by large companies and are used by all browsers. Google is doing this right now, providing preload lists for its Chrome browser as well as other browsers.

Why are there such HSTS preload lists ? This allows browsers to know even before visiting the site that the specified site (domain) and all its pages should be opened only via HTTPS. There is a special project (currently available at hstspreload.org ) that serves requests. He accepts applications for inclusion of sites in such a list (green form above), as well as deleting a site, if necessary, from this list (gray form below). Before submitting an application for addition, you need to make sure that all pages of the site work via HTPPS and that you can support this protocol for a long time. It will take a long time to remove a domain from this list.

How to disable HSTS

Last but not least, how to disable HSTS ? The same header needs to be sent, only with the max-age time set to 0. This will immediately disable HSTS and allow HTTP access.

There is also an option to disable HSTS , it may differ for each browser. For example, for Chrome, you need to go to chrome: // net-internals / # hsts and delete the domain via the "Delete domain security policies" section. It is enough to enter your domain address in the “Domain” field and press “Delete”. After completing these actions when entering the site, it is better to force the protocol http: // , otherwise the browser can automatically open it out of habit via HTTPS .