How To Fix the “HSTS Missing From HTTP Server” Error

Collapse

Unconfigured Ad Widget

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts
  • Rex Maughan
    Senior Member
    • Mar 2022
    • 119

    How To Fix the “HSTS Missing From HTTP Server” Error

    Hello everyone,

    I'm currently dealing with an "HSTS Missing From HTTP Server" error and could use your expertise to help me understand and resolve it. If any of you have experience with this issue or insights on how to fix it, your assistance would be greatly appreciated.
  • Rachel S
    Senior Member
    • Apr 2022
    • 113

    #2
    The "HSTS Missing From HTTP Serve" or "Missing HSTS Error and Warning" pertains to the absence of the HSTS (HTTP Strict Transport Security) response header and directive in the web server's response. HSTS is crucial in ensuring end-to-end secure web browsing and safeguarding website sessions for users. The absence of HSTS raises concerns regarding web security and user privacy.


    Using HTTP URLs exposes users to various web security risks, including vulnerabilities like Man-in-the-Middle (MITM) attacks and Secure Sockets Layer Stripping. In an MITM attack, a malicious actor can redirect users to a clone website to steal their information. HSTS (HTTP Strict Transport Security) protects against these types of attacks and thwarts hackers' attempts to steal data. Consequently, the "Missing HSTS Warning and Error" holds significant importance for web security and SEO (Search Engine Optimization).



    How To Fix the “HSTS Missing From HTTP Server” Error

    1. Create an entire website backup

    Enabling HSTS (HTTP Strict Transport Security) for a website necessitates adjustments to the web server configuration. Consequently, it is essential to create a website backup to safeguard against potential errors during web server configuration changes. When introducing a response header like "Strict-Transport-Security," this backup protects against possible data loss.

    For a comprehensive website backup before implementing HSTS on the web server, you can either manually create a server backup or schedule an automated weekly backup. Various hosting configuration software, such as cPanel, can facilitate the addition of HSTS and the creation of a complete website backup.


    2. Use an HTTP to HTTPS Redirect with 301 Status Code

    For HSTS implementation, a website necessitates an HTTPS connection and a valid SSL Certificate. HSTS functionality cannot be utilized without a legitimate SSL Certificate. Options to set up an SSL Certificate for a website include employing services such as Cloudflare CDN or adopting any Always-On SSL certificate. Using Company Level SSL Certificates enhances user trust and potentially aligns with search engine algorithms by contributing to overall credibility. However, to enable HSTS, any valid SSL Certificate equipped with a valid CRT or CER suffices.

    To achieve the redirection of all HTTP connections to HTTPS on Nginx servers, you can utilize the following code:

    server {
    listen 80;
    server_name domain_name.com www.domain_name.com;
    return 301 https://domain_name.com$request_uri;
    }

    To enforce HTTPS redirection and enable HSTS on WordPress websites, add the following code inside your .htaccess file:

    RewriteEngine On
    RewriteCond %{HTTPS} !=on
    RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301,NE]
    Header always set Strict-Transport-Security max-age=31536000


    3. Add the HSTS Header to the Web Server to force the use of HTTPS

    To incorporate the HSTS Header into Apache Web Servers, apply the "Header Always" method in conjunction with the "set" command. To address the issue of “HSTS Missing From HTTP Server” on WordPress and other Apache Web Servers utilizing a ".htaccess" file, use the following code block:
    • Header always set Strict-Transport-Security max-age=31536000

    To implement the HSTS Header for Nginx Web servers and resolve the issue of Missing HSTS from the Web Server, utilize the following code block:
    • add_header Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

    4. Add the Website to the HSTS Preload List of Google for Protection


    Incorporating a website into the HSTS Preload List is essential, as it protects first-time HSTS users. To activate HSTS on a website, the web browser needs to access the website at least once more. Consequently, during the initial web session, the website benefits from protecting the HSTS Preload List, a list established by the Google search engine.

    For adding domains to the HSTS Preload List, "hstspreload.org" serves as the platform. Any website included in the HSTS Preload List operates under HSTS, even during the first-time connection. To have a website in the HSTS Preload List as a solution to address the "Missing HSTS from Web Server" error, adhere to the criteria below:
    • Possess a valid SSL certificate.
    • Implement HTTP to HTTPS redirection.
    • Enable HTTPS for all subdomains of the website.
    • Offer HTTPS support for the "www" subdomain if a corresponding DNS record exists.
    • Include an HSTS header on the base domain for HTTPS requests with the following specifications:
      • Set the "max-age" to a minimum of 31,536,000 seconds, equivalent to 1 year.
      • Specify the "includeSubDomains" directive.
      • Specify the "preload" directive.








    Comment

    Working...
    X