Now my Blog, David Yin Blog is https encrypted . And it is also HSTS enabled. And latest, it is HSTS preload enabled.
It has three layers meaning.
- https support.
- HSTS enabled.
- HSTS preload enabled.
Let me explain them one by one.
First, add https support. I did this step on Feb. 2016, when I announced that SSL added. I recorded how I get the SSL certificate and install it on Nginx web server.
After that, all content send back and force from my Blog to an audience is encrypted. Even ISP can not read the content from the data traffic.
Second, I add the HSTS into the Nginx configuration, to make it more secure.
What is HSTS?
HTTP Strict Transport Security (HSTS) is a web security policy mechanism which helps to protect websites against protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers (or other complying user agents) should only interact with it using secure HTTPS connections, and never via the insecure HTTP protocol. HSTS is an IETF standards track protocol and is specified in RFC 6797
Now, you know, it makes any repeat audiences to use https access my blog from the second time.
Third, the last step, I add my blog to the HSTS preload list.
There are certain submission requirements you have to meet before you apply for the list.
- Have a valid SSL certificate.
- Redirect from HTTP to HTTPS on the same host.
- Serve all subdomains over HTTPS.
- Serve an HSTS header on the base domain for HTTPS request:
- The max-age must be at least eighteen weeks (10886400)
- The includeSubDomains directive must be specified.
- The preload directive must be specified.
- If you are serving an additional redirect from your HTTPS site, that redirect must still have the HSTS header (rather than the page it redirects to).
These requirements are basic. I did the following at my Nginx web server host block.
Strict-Transport-Security: max-age=16070400; includeSubDomains
I suggest to increase time on max-age.
Here is the link for add site to HSTS preload list https://hstspreload.appspot.com/
When my site is added to this list, it means my domain in embedded inside of the browser, such as Chrome, Firefox. In this situation, even the first-time audience, he will take https to my blog, no matter he enters the URL with or without https.
It took me about a half hour to make changes to my Nginx directives and submit the request. Then I wait about one week to get it approved.
Here is the full list of the HSTS preload domains.