By adding the Strict Transport Security header to your site, you secure every visit from your visitors except for the initial visit. That still leaves your site vulnerable to MITM (man-in-the-middle) attacks for that initial visit, so there is a technique called “preloading” that will add your site to a pre-populated domain list. Once your site is on that list, the major browsers that support HSTS preloading will be notified that your site requires SSL, and every visit, even the very first one from a visitor, will automatically be forced through SSL.
If you want to enable this for your site, there are a few requirements before you can make that trigger:
includeSubDomainstoken must be specified in the header.
preloadtoken must be specified in the header.
Now when visitors come to your site, the browser will be notified that you want to be on the preload list. Assuming that you meet all the requirements, you should see your site loaded in that list within a few months.
If you want to check your site’s preload status, you can do it here: https://hstspreload.appspot.com/
Be aware that inclusion in the preload list cannot really be undone. You can request to be removed, but it will take months for the deleted entry to reach users with a Chrome update and we cannot make guarantees about other browser vendors. Don’t request inclusion unless you’re sure that you can support HTTPS for the long term.
Note that our WordPress security plugin – Lighthouse – allows administrators to switch the HSTS header on and off.
Internet Explorer users are still vulnerable. Nevertheless, it’s worth implementing, as it’s an official IETF standard.
Check out the compatibility table.
Also, you don’t want to implement this unless you’re using HTTPS, but why wouldn’t you be using HTTPS? Remember that HTTPS not only guarantees that your content (and the users’ content) will be encrypted and therefore uninterceptable, it also provides authenticity, promising your users that yes, this content really came from you.
But if you’re using HTTPS you should probably use HSTS too.
Once a week or so we send an email with our best content. We never bug you, we just send you our latest piece of content.
If you found any value in this post, agree, disagree, or have anything to add - please do. I use comments as my #1 signal for what to write about. Read our comment policy before commenting! Comments such as "Thank you!", "Awesome!", "You're the man!" are either marked as spam or stripped from URL.