HSTS Preload
The Department of Homeland Security and the National Cyber Security Alliance collaborate to increase public understanding of the value of cybersecurity during Cybersecurity understanding Month each year.
Today, anybody can easily start a blog, corporation, or portfolio website. Keeping it safe has also been more simpler and more crucial. To assist, Google is offering three actionable tips from professionals in internet security today that anyone may use to strengthen the protection of their websites. One website at a time, these suggestions will help safeguard world by protecting private and sensitive data.
TLS certificate installation
Sensitive data is protected during data transmission between your website and its visitors with Transport Layer Security certificate, often known as SSL. Although implementing SSL is essential if your website gathers sensitive data, such credit card numbers or password logins, experts advise doing it for all websites. SSL certificates are available from most registrars, and Let’s Encrypt allows you to install one on your own.
Select HSTS preloading
Websites that contemporary browsers are aware only load via a secure, encrypted connection are included in the HSTS-preload list. It is the simplest approach to guarantee that connections to websites cannot be reverted to an unencrypted connection, both on the first visit and on subsequent visits. HSTS-preloading may be obtained in two methods, which are discussed below.
Select a safe web hosting company
Look into and choose a hosting company that has a solid track record of implementing security features like intrusion detection systems, firewalls, and frequent backups.
Many website owners are unaware that malicious actors might attempt to change the content of their websites, implant malware or tracking, spoof across unsecured Wi-Fi networks, or reroute traffic. Even one unencrypted page may be used by them to access the rest of your website. There are two methods to use HSTS Preload to strengthen your website’s defense against HTTP downgrade attacks:
- Put your domain on the HSTS-preload list and watch as the modification spreads across browsers.
- Choose a top-level domain with HSTS Preload, like.app,.dev,.page,.rsvp, or.day, to start using the best degree of website encryption right now. Installing an SSL certificate is the only additional step, and browser updates are not required.
HSTS Preload List
Details
Domains may be added to Chrome’s HTTP Strict Transport Security (HSTS) preload list using this form. This is a list of websites that Chrome has hardcoded as only being accessible via HTTPS.
Based on the Chrome list, HSTS preload lists exist for most of the widely used browsers, including Chrome, Firefox, Opera, Safari, IE 11, and Edge. Refer to the compatibility matrix of HSTS.
Submission Conditions
A site may submit a request to be added to the preload list using this site’s form if it sends the preload directive in a HSTS header.
Your site has to meet the following criteria in order to be approved for the HSTS preload list using this form:
- Present a legitimate certificate.
- On the same host, if you are listening on port 80, redirect from HTTP to HTTPS.
- Use HTTPS to serve all subdomains.
- Specifically, if a DNS record exists for the www subdomain, you have to offer HTTPS for that subdomain.
- It should be noted that all subdomains including internal, non-publicly accessible subdomains are subject to HSTS preloading.
- For HTTPS queries, include a HSTS header on the base domain:
- At least 31536000 seconds (1 year) must be the maximum age.
- You need to provide the includeSubDomains directive.
- It is necessary to provide the preload directive.
- The HSTS header must still be included in any further redirects you serve from your HTTPS site.
In an effort to expand the availability of HSTS preload, Google Registry and registrars will be offering a 50% discount on Google HSTS-preloaded domains in October.
What is HSTS?
HSTS, or HTTP Strict Transport Security, secures website-user connections. HSTS tells browsers to always utilize HTTPS to access a website. HSTS aims to avoid downgrade attacks, which compel websites to use insecure HTTP connections. With out HSTS, such attacks might expose sensitive user data on a website.
In summary
Three crucial steps are advised by internet security experts to improve website security. Installing a Transport Layer Security (TLS) certificate is the first step towards encrypting data transit between users and your website. To guarantee secure connections and avoid downgrading to unencrypted connections, use HSTS-preloading as your second option. Finally, choose a reputable hosting company with strong security protocols. You may prevent possible dangers to your website and secure personal information by putting these precautions in place.