What is HSTS and how to configure your website to use?

When you use an SSL certificate for a website, you have the option to open the website in either HTTP or HTTPS. The redirection is always done programmatically, when the website is opened and needs to go to a safe environment.

However, there are cases where a website always needs to be loaded in HTTPS, as it is an application and this one is possibly already logged in, like facebook for example.

If you typed in the browser "facebook.com" and simply knew that your connection would be using the common, traditional, unencrypted format, everyone on the network could intercept data traffic.

But, how does facebook manage to make a connection go directly to facebook.com without going through port 80?

The secret to this is in the HSTS configuration.

The HSTS configuration informs that the site uses a policy so that it is always open with SSL technology, so if configured, the browser will know that if the person types in the address bar only "facebook.com", they should access the "https" version : //facebook.com "instead of" http://facebook.com "and thus ensure that the home page is completely secure with encryption enabled, so that no one sees your timeline.

Here is an example of the configuration, which is configured in the HTTP header:

strict-transport-security:max-age=15552000; preload

This is the current configuration of the facebook site, but others use this technology, including here, the TI Tutorial has also implemented it, so that you can view the posts and share your comments safely.

max-age: Defines in seconds how long the browser should keep in cache to prefer to open the site in HTTPS instead of HTTP.

preload: Allows the browser to preload the HTTP header and so the website will only be opened using HTTPS technology. Without it, the first connection to the site would be via HTTP, and then only after that, after closing the browser and opening it again, it would start to use the information received in cache. If the site does not have HTTPS (SSL), the site is inaccessible with this option.

If you have your website but do not yet have an SSL certificate, it is very important to have it, even if the website only has static or public content, as this helps in the relevance of search engines like Google and Bing, which have several algorithms for defining a site ranking.