HSTS: Enforced HTTPS
Though HTTPS has been an option for my site for a little while now, I haven't enforced it outside of various commerce related pages (e.g. the shopping cart). Starting now, not only is HTTPS required to browse my site, I've enabled the HSTS header to ensure that unencrypted connections are never allowed.
What is HSTS?
HSTS stands for "HTTP Strict Transport Security". This does a couple of things for the modern browsers that follow this header--
- Any links on my website that point elsewhere on this same domain will automatically be changed to HTTPS. I have used protocol relative URLs or CMS-generated URLs most everywhere, but this should ensure that anything I've missed will stay encrypted.
- For the defined period of time (I've chosen a year), if you connect to my site and there are any HTTPS related issues such as an expired certificate or invalid certificate, your browser should not even allow you to bypass the warning message.
Why HSTS?
Of course, given that you will be denied access to my website if I accidentally misconfigure something related to SSL or even if my CA's certificate has problems, why would I take the risk of downtime and lost traffic in the same of encryption?
My website is primarily a blog-- it does allow you to purchase various tutorials I've written and apps I have developed, but the vast majority of my visitors land on a content page with no sensitive information. Despite this, I believe that each user is entitled to both privacy, as well as security from ISPs and establishments that perform bad practices such as ad injection. With enforced HTTPS, your hotel or coffee shop will no longer be able to see what content you are specifically looking at1, and will not be able to inject their own ads or tracking software into my website.
- Of course, without encrypted DNS, an attacker or privileged user will still know you are accessing my domain ↩