News Courtesy of SearchEngineLand.com:
When the server initially calls the HTTP version, hackers can slip in and intercept the request over the insecure HTTP, which will block the site from using HTTPS. It stands to reason that as more sites switch to HTTPS, more hackers are educating themselves on how to crack the updated security codes.
There is a solution for this, make your site even more secure by applying HSTS.
HSTS forces a site to load over HTTPS, disregarding any calls to try an HTTP connection first as in the case of 301 redirects. This essentially sidesteps the initial HTTP load by forcing the browser to remember that this site does indeed support HTTPS. That way, the browser will load the secure version immediately and eliminates the opportunity for hackers to hijack the connection.
This is news to me. Before coming across this article I had never heard of HSTS (HTTP Strict Transport Security). Now that I have an understanding of the purpose and benefits it provides, there really isn’t a reason not to implement it. Unless of course, for some strange reason you plan on removing HTTPS and your SSL certificate from your website.
I’ve been advocating that website owners make the switch to over to HTTPS for almost a year. Chrome now indicates websites that don’t use this protocol as insecure. That might be a big deal except for the fact that you can get an SSL certificate for free. Personally, I’ve been using the plugin Really Simple SSL to convert my websites (and clients’) over to HTTPS. It does redirect HTTP requests over to HTTPS in the blink of an eye. So what’s the problem?
Even that brief window of time can leave your website vulnerable to allow a hacker to prevent HTTPS from loading. The risk might be small now, but with the strong push for HTTPS over the last couple of years I’m sure hackers will adjust accordingly. With HSTS, what it is basically telling your visitors is that it will not allow HTTP to be loaded at all. In order to take advantage and instruct browsers to follow HSTS, a piece of code must be inserted in your site’s .htaccess file.
In most cases, that should be all that needs to be done. You can test if it is working by plugging in your domain here. People that visit your website will now have their browsers load only the HTTPS version of your website. This will bypass any 301 redirects from HTTP to slightly improve loading times. Which is great for SEO too!
Of course, first-time visitors to your domain will still try to load the website over HTTP initially. For this very reason, a preload list was created where you can submit your domain to instruct major browsers to only use HTTPS. Regardless if it is the first time a visitor loads your website. The above link will allow you to submit your domain to this list. Just make sure you’re absolutely certain you do not need to revert back to HTTP. Once, you’ve completed submission you’re good to go! Let me know your thoughts or if you encounter any errors by commenting below.