When you enable HTTP strict transport security in Magento 2, it increases the safety of your online presence. It ensures that web browsers only connect to your site over HTTPS, preventing potential threats like spam attacks. It is a simple step that helps protect sensitive customer data and builds trust in your e-commerce business. This post will provide instructions on enabling HSTS in Magento 2.
What is HTTP Strict Transport Security (HSTS)?
HTTP Strict Transport Security (HSTS) is a security mechanism implemented in web applications, including Magento 2. It ensures all communication between the browser and the server occurs over a secure, encrypted connection. Enabling HSTS enforces HTTPS (HTTP Secure) protocol by implementing a policy on the website’s server. The policy instructs browsers to (only) connect to the site via HTTPS for a specified time.
How to Enable HTTP Strict Transport Security in Magento 2?
Magento has a built-in HSTS option, which you can turn on easily from the Admin panel. To configure HSTS in Magento 2, follow these steps:
- Log in to the Magento Admin panel.
- Select the Stores option.
- Navigate to Settings and expand Configuration.
- In the left-hand menu, navigate to General, then click on Web.
- Expand the Base URLs section and ensure your website is configured with a secure HTTPS URL. (check if your Secure Base URL starts with “https://.”)
- Scroll down and expand the Base URLs (secure) section.
- Set the “Use Secure URLs on Storefront” and “Use Secure URLs in Admin” options to Yes.
- Find the HTTP Strict Transport Security (HSTS) field and select “Yes.”
- To save the changes, click the save config button.
Post-implementation steps
There are a few post-implementation steps to ensure the effectiveness of the HSTS security mechanism.
- Clear your browser’s cache and cookies, and purge the Varnish cache. Restart your web server.
- Verify if your website has an active HSTS policy. You can use third-party tools for HTTPS verification.
- Monitor your domain for any unsecured URLs that may still be present.
- Check for any insecure content or mixed content warnings issued by browsers.
- Ensure regular tests and verify the functionality of your HTTPS configuration. It will prevent issues with SSL certificates or redirects from HTTP to HTTPS.
Apart from the above-mentioned steps, using a Magento hosting plan will ensure proper SSL certificates and optimal site performance.
Benefits of implementing HSTS
- Enabling HTTP Strict Transport Security (HSTS) in Magento 2 enhances the security of your Magento website.
- It helps protect against potential security vulnerabilities and attacks like man-in-the-middle, cookie hijacking, or SSL-stripping attacks.Example of SSL stripping prevention: (In this example, we address “magentosite.com” to understand the flow.)
- Someone types magentosite.com in the browser’s address bar.
- The browser tries to load http:/magentosite.com as the default.
- But magentosite.com is using 301 permanent redirects to https://unknownwebsite.uk
- The browser notices the redirect and loads https://magentosite.com
If the fraudsters access an unencrypted and unsecured version of the website, they can access the customer data. Sometimes, hackers can redirect visitors to a clone version of the intended website and mine the personal data provided.
In the situation mentioned above, enabling HSTS will oblige the browser to load the secure version of the website. It will ensure to ignore any calls or redirect requests of loading the intended website over the HTTP protocol. It shuns the redirection vulnerability that exists with a 301 redirect. - Implementing HSTS can also have SEO benefits. Search engines often prefer websites that have secure connections, so enabling HSTS can improve your search engine rankings.
Summary
Magento website owners must enable HTTP Strict Transport Security (HSTS) and protect valuable customer data. As an ecommerce store owner, you must oblige the need for secure browser interactions and provide increased safety for your website users.