Enable HTTP Strict Transport Security in Magento 2

Enable HTTP Strict Transport Security in Magento 2

When you enable HTTP strict transport security in Magento 2, it increases the safety of your online presence. It ensures that web browsers only connect to your site over HTTPS, preventing potential threats like spam attacks. It is a simple step that helps protect sensitive customer data and builds trust in your e-commerce business. This post will provide instructions on enabling HSTS in Magento 2.

Best Magento Hosting now

Key Takeaway:

  • Enabling HTTP Strict Transport Security (HSTS) boosts your Magento website’s security.

  • HSTS is crucial for SEO and protects against cyber attacks.

  • Ensuring your website aligns with a strong security policy and provides a secure browsing experience builds customer trust.

  • Consider the importance of Magento hosting with SSL certification for your online store's security.

What is HTTP Strict Transport Security (HSTS)?

HTTP Strict Transport Security (HSTS) is a security mechanism implemented in web applications, including Magento 2. It ensures all communication between the browser and the server occurs over a secure, encrypted connection. Enabling HSTS enforces HTTPS (HTTP Secure) protocol by implementing a policy on the website's server. The policy instructs browsers to (only) connect to the site via HTTPS for a specified time.

How to Enable HTTP Strict Transport Security in Magento 2?

Magento has a built-in HSTS option, which you can turn on easily from the Admin panel. To configure HSTS in Magento 2, follow these steps:

  1. Log in to the Magento Admin panel.

  2. Select the Stores option.

  3. Navigate to Settings and expand Configuration.

Navigating to Configuration for enabling HSTS in Magento 2 Admin Panel

  1. In the left-hand menu, navigate to General, then click on Web.

  2. Expand the Base URLs section and ensure your website is configured with a secure HTTPS URL. (check if your Secure Base URL starts with "https://.")


Setting Base URLs in Magento 2 Admin Panel for HSTS

  1. Scroll down and expand the Base URLs (secure) section.

  2. Set the "Use Secure URLs on Storefront" and "Use Secure URLs in Admin" options to Yes.

  3. Find the HTTP Strict Transport Security (HSTS) field and select "Yes."

Securing Base URLs in Magento 2 for HTTP Strict Transport Security

  1. To save the changes, click the save config button.

Manually enabling the HSTS policy

  1. Ensure that your Magento site has proper SSL certificates.

  2. Connect to your server via SSH and access the .htaccess file.

  3. Find the directory where your .htaccess file is located. By default, it is in the public_html directory. Use the following command to go to the public_html folder:

cd applications/<your_application_name>/public_html/
  1. Edit the .htaccess file and add the HSTS rule. Execute the following to open the file for editing.
vim .htaccess
  1. After opening the file, press the ‘i’ key to access the editing mode. Next, you should see –– INSERT –– at the bottom of your screen.

  2. Paste the following HSTS rule to add values for Max-Age and include Subdomains to the .htaccess file:

<IfModule mod_headers.c>
    Header add Strict-Transport-Security "max-age=84600; includeSubDomains"
</IfModule>
  1. Press the ESC key to exit the editing mode.

  2. Then, run the following command to save the changes. Note: you cannot copy and paste the command. You must type it and hit the Enter key.

:wq!

Post-implementation steps

There are a few post-implementation steps to ensure the effectiveness of the HSTS security mechanism.

  1. Clear your browser’s cache and cookies, and purge the Varnish cache. Restart your web server.

  2. Verify if your website has an active HSTS policy. You can use third-party tools for HTTPS verification.

  3. Monitor your domain for any unsecured URLs that may still be present.

  4. Check for any insecure content or mixed content warnings issued by browsers.

  5. Ensure regular tests and verify the functionality of your HTTPS configuration. It will prevent issues with SSL certificates or redirects from HTTP to HTTPS.

Apart from the above-mentioned steps, using a Magento hosting plan will ensure proper SSL certificates and optimal site performance.

Benefits of implementing HSTS

  1. Enabling HTTP Strict Transport Security (HSTS) in Magento 2 enhances the security of your Magento website.

  2. It helps protect against potential security vulnerabilities and attacks like man-in-the-middle, cookie hijacking, or SSL-stripping attacks.

    Example of SSL stripping prevention: (In this example, we address “magentosite.com” to understand the flow.)

    1. Someone types magentosite.com in the browser’s address bar.

    2. The browser tries to load http:/magentosite.com as the default.

    3. But magentosite.com is using 301 permanent redirects to https://unknownwebsite.uk

    4. The browser notices the redirect and loads https://magentosite.com

    Malicious actors can take advantage of the sparse time between the redirection process for SSL Stripping. Hackers can block the redirection request redirection and stop the browser from loading the website over HTTPS protocol.


    If the fraudsters access an unencrypted and unsecured version of the website, they can access the customer data. Sometimes, hackers can redirect visitors to a clone version of the intended website and mine the personal data provided.


    In the situation mentioned above, enabling HSTS will oblige the browser to load the secure version of the website. It will ensure to ignore any calls or redirect requests of loading the intended website over the HTTP protocol. It shuns the redirection vulnerability that exists with a 301 redirect.

  3. Implementing HSTS can also have SEO benefits. Search engines often prefer websites that have secure connections, so enabling HSTS can improve your search engine rankings.

FAQs

1. How can I enable HSTS on Windows for Magento?

To enable HSTS for your Magento store, set up the SSL certificate. Next, use the Magento backend settings to enable HSTS for secure HTTPS URLs.


2. Why is SSL certification and enabling HSTS important for SERP?

Enabling HSTS ensures that your website uses a secure HTTPS connection, positively impacting SEO rankings. It ensures your website aligns with a strong security policy. Implementing HSTS also forces browsers to access the site over HTTPS, protecting against cyber attacks.


3. Can I use HTTP Strict Transport Security on other systems like Nginx?

Enabling HTTP strict transport security works well with different systems, including Nginx. However, first, you will need proper SSL certificates.


4. Can I continue using plain HTTP after enabling HSTS, or will it affect visitors' browsing experience?

Once HSTS is enabled and you choose HTTPS redirect, all visitors will be required to access your site over HTTPS.

It won't affect the browsing experience or your Magento site’s speed. Enabling HSTS prevents your website visitors from cyber attacks.

Summary

Magento website owners must enable HTTP Strict Transport Security (HSTS) and protect valuable customer data. As an ecommerce store owner, you must oblige the need for secure browser interactions and provide increased safety for your website users.


Also, it is recommended to invest in a Magento hosting service for your Magento store’s security.

Vaishali Sharma
Vaishali Sharma
Technical Writer

As a seasoned writer, Vaishali consistently expands her knowledge in Magento hosting. She has four years of professional experience, with a focus on crafting diverse Magento-related content.


Get the fastest Magento Hosting! Get Started