Now my Blog, David Yin Blog is https encrypted . And it is also HSTS enabled. And latest, it is HSTS preload enabled.
It has three layers meaning.
- https support.
- HSTS enabled.
- HSTS preload enabled.
Let me explain them one by one.
First, add https support. I did this step on Feb. 2016, when I announced that SSL added. I recorded how I get the SSL certificate and install it on Nginx web server.
After that, all content send back and force from my Blog to an audience is encrypted. Even ISP can not read the content from the data traffic.
Second, I add the HSTS into the Nginx configuration, to make it more secure.
What is HSTS?
HTTP Strict Transport Security (HSTS) is a web security policy mechanism which helps to protect websites against protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers (or other complying user agents) should only interact with it using secure HTTPS connections,[1] and never via the insecure HTTP protocol. HSTS is an IETF standards track protocol and is specified in RFC 6797
