Enable HSTS Globally for All Sites

Hi All,
We have a government client, that requires HSTS be enabled, Treepl have advised they are not able to do this for 1 specific site, and would need to make the change globally.

This is extremely critical for our client, and we’d really appreciate partner support in getting this on the Treepl Development schedule as soon as possible.

HSTS is a web security technology that secures HTTPS web servers against downgrade attacks. Downgrade attacks (also known as SSL stripping attacks) are a form of on-path attack in which an attacker redirects web browsers from a correctly configured HTTPS web server to a malicious server

.

Looks like HSTS is available via Cloudflare (even on the free plan) if that’s an option for your client.
I haven’t used it or know much more about it, but might be an option to look into…

Understanding HSTS (HTTP Strict Transport Security) – Cloudflare Help Center

Hi @lee.relianceit - Added here :slight_smile:

Since it is currently not supported by all browsers (some mobile browsers) I would like it to be something we can choose to have or not :slight_smile:

If it is very critical for you and the client I guess you could ask Treepl Services for a quote on this? :slight_smile:

2 Likes

Good call Peter. But 99% of browsers will support it. I think with cyber threat getting to the levels it is, certainly here in the Uk, it should be a standard implementation. I too would prefer it on all the time. It would force those 1% outliers (like older Android) to update. But then, who uses older Android?!

Here’s the list: Summary of HSTS Support in Modern Browsers - ProtonMail Blog

Thanks for the feedback @WayneFreeman - Haven’t seen the list. The most interesting for me is “Internet Explorer” do not support it. Don’t get me wrong; I HATE “Exploder” :rofl:
But I have clients where IE support is important unfortunately.

I am not sure if this needs to be a general setting and not possible to enable/disable on single sites.

Maybe @Eugene will give his insight before I will add it to the Backlog :slight_smile:

You’re absolutely right, although I tend to ignore IE because its discontinued and unsupported by MS …others might not. We actually specifically exclude it in some of our contracts (project depending) to say we don’t support it and include an !if IE! JS piece with pop up ‘this site does not supported IE …Microsoft have discontinued, please download Edge’. I’ve been thinking of doing this for all sites going forward.

I’ll also say this: everyday we have radio adverts for business insurance saying how ‘even small businesses are being attacked’ and the issue is that insurance companies won’t pay out if security is not totally locked down - if there is a slight loophole, loss adjusters will find it. It’s best practice to include all available security measures. If a government department are saying they want mandatory you can be sure business will soon follow.

We are TOTALLY on the same page with “Exploder” :boom:
I really really hate it and we tend to do the same with our contracts.

At the moment we are working on a site for one of our larger clients, they are a part of a big capital group that runs all of their IT solutions. They are still on IE9 since this is “safe” (I know :exploding_head: ) - so they have it as a specific request that the site NEEDS to work in IE9 since all of there own desktop machines can only run this. We see this a lot with bigger corporations, that they wait a VERY long time to update the company policy regarding browsers etc.

For me personal HSTS makes total sense, but the client mentioned above would not move their site if HSTS was default so in the “transition” time it would be nice to be able to have it enabled as standard but with the ability to disable it for specific needs :slight_smile:

Another example could be that a client have a specific iFrame, script call etc. that can only run HTTP. Again; This would be totally outdated, but we still see “integrations” with older systems that are not updated anymore where that would be a problem since the client don’t have or want to update to another system or similar :slight_smile:

I don’t have any comments :slightly_smiling_face:
Please add it to the Backlog.

It’s really interesting. In the last year we’ve seen all of our corporate clients make the shift. Probably because of the move to Teams which required an upgrade on all fronts. So could it be that something good did come out of Covid?! :blush:

1 Like

Finally something positive about Covid :rofl:

Added here: https://treepl.co/public-backlog-state/request/enable-hsts-globally-for-all-sites

Hey @Peter-Schmidt I’ve just noticed this has been added twice
https://portal.treepl.co/backlog/5507
https://portal.treepl.co/backlog/5508

5508 is the better option, so you can delete 5507

1 Like

@lee.relianceit

Not sure who added the first one (5507), they are added a week a part so it might be myself, since my internal memory, is give and take 4 days :rofl:

1 Like

I’d like to bump this one for visibilities sake.
It’s being increasingly asked for, from our corporate clients that this feature be enabled on their website.

https://portal.treepl.co/backlog/5508

1 Like

@Peter-Schmidt HSTS is now part of HTTP Header Settings and can be removed from the backlog.

1 Like

Thanks @Rhatch - Moved to “Delivered” :slight_smile: