05-01-2015, 02:42 PM
Strict Transport Security Is Enabled (HSTS)
\ I continue a series of articles focused on migrating a web site to support HTTPS Everywhere. The HTTPS Everywhere is to have the entire web to be safe using the latest security and best practices. However, we also have to be aware of the possible implications of performance by using HTTPS.
The first step we took to improve performance on HTTPS was to enable the header connection keep alive. The next step we want to take now is to allow strict transport security (HSTS) header. The header instructs the browser user HSTS to connect only to the current domain and all subdomains, optionally using a secure connection.
In this article I'll cover:
Why use the HSTS?
Implementation in Apache and IIS
Testing to make sure it works
Before you begin, however, let me point out that fast outside the HSTS is widely supported by the major browsers except Internet Explorer up to 11, while Microsoft announced that IE will support 12 HSTS.
The answer to this question is: performance. As we've learned, instructs the HSTS setting browser to connect only through HTTTPS until a timeout. For most purposes, you need to set the max-age runs as high as you feel comfortable. By using HSTS we avoid any unnecessary redirects to HTTPS secure our site, and any other assets or resources provided by our server.
For example, if you look at the image below, you'll see the redirection from HTTP to HTTPS. This redirect is a result of our server responds to the HTTP request, with a permanent 301 redirect of the same resource using HTTPS.