HTTP Strict Transport Security (HSTS) Preload ensures that browsers always connect to your website using HTTPS. It preloads your domain into browser lists, enforcing secure connections by default. This article covers what HSTS preload is, how to enable it, and how to check its status using tools like CertPanel SSL Monitor and the official HSTS preload website.
What is HSTS Preload?
HSTS preload is a security feature where browsers such as Chrome, Firefox, and Safari maintain a list of domains that enforce HTTPS. When a domain is on the preload list, it ensures:
- No HTTP connections occur.
- Automatic HTTPS redirection, even before a request reaches the server.
This eliminates the risk of man-in-the-middle (MITM) attacks by enforcing encryption from the very first connection.
Set Up HTTP to HTTPS Redirects
All HTTP traffic must be redirected to HTTPS. Below are server-specific configurations:
Windows Server (IIS Configuration)
- Visit the official website at https://www.iis.net/downloads/microsoft/url-rewrite to download and install the URL Rewrite Module on your Windows Server.
- Open IIS Manager and select your site.
- Configure HTTP to HTTPS redirection by editing the web.config file in the web root directory of your IIS website.
Add the following URL Rewrite rule in web.config:
<!-- URL Rewrite rule to redirect all HTTP traffic to HTTPS -->
<rewrite>
<rules>
<rule name="Redirect to HTTPS" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action type="Redirect" url="https://itsatestsite.online/{R:1}" redirectType="Permanent" />
</rule>
</rules>
</rewrite>- Restart IIS by running the following command in PowerShell or Command Prompt:
$ C:\Users\Administrator> iisreset Ubuntu Server (Nginx Configuration)
- Open your Nginx configuration file (e.g., for a single-site setup):
# sudo vim /etc/nginx/sites-available/default - Add an HTTP to HTTPS redirection block:
server {
listen 80;
server_name itsatestsite.online;
return 301 https://$host$request_uri;
}- Add the HTTPS block with HSTS and other security headers. Replace ssl_certificate and ssl_certificate_key paths with your actual certificate files:
server {
listen 443 ssl;
server_name itsatestsite.online;
root /var/www/html;
index index.html index.htm;
ssl_certificate /etc/ssl/certs/combined_certificate.crt;
ssl_certificate_key /etc/ssl/private/PRIVATEKEY.key;
# Security Headers
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self' https:;" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()" always;
location / {
try_files $uri $uri/ /index.html;
}
} Restart Nginx to apply the changes:
# sudo nginx -t
# sudo systemctl restart nginxAmazon Linux 2 (Apache Configuration)
- Open the Apache SSL configuration file:
# sudo vim /etc/httpd/conf.d/example.com-ssl.conf - Add an HTTP to HTTPS redirection rule:
<VirtualHost *:80>
ServerName itsatestsite.online
DocumentRoot /var/www/html
# Redirect all HTTP traffic to HTTPS
Redirect permanent / https://itsatestsite.online/
</VirtualHost>- Add the HSTS header inside the SSL virtual host block:
<VirtualHost *:443>
ServerName itsatestsite.online
DocumentRoot /var/www/html
# SSL Configuration
SSLEngine on
SSLCertificateFile /etc/ssl/certs/itsatestsite_online.crt
SSLCertificateKeyFile /etc/ssl/private/PRIVATEKEY.key
SSLCertificateChainFile /etc/ssl/certs/My_CA_Bundle.ca-bundle
# Add HSTS header
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# Other security headers (optional but recommended)
Header always set Content-Security-Policy "default-src https: 'self'"
Header always set X-Frame-Options "DENY"
Header always set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()"
</VirtualHost>- Restart Apache to apply the changes:
# sudo apachectl configtest
# sudo systemctl restart httpdCheck the HSTS Preload Status
Once the HSTS header is set and all redirects are correctly configured, verify if your domain qualifies for HSTS preload.
How to Check and Submit Your Domain to the HSTS Preload List
- Go to hstspreload.org.
- Enter your domain (e.g., itsatestsite.online).
- If all requirements are met, you can submit your domain.
- If you see “Pending Submission”, your request is under review.
Check & Verify HSTS Configuration using CertPanel SSL Monitor
Using CertPanel SSL Monitor, you can confirm whether your HSTS headers and HTTPS setup are correct.
- Log in to CertPanel and navigate to the SSL Scan Tool.
- Enter your domain and initiate a scan.
- Verify the report for:
- HSTS header presence with the correct preload directive.
- Proper HTTP to HTTPS redirects.
Additional Steps for Ensuring Proper Setup
If issues persist, consider these extra checks:
- Test HSTS with Online Tools Use online tools like SSL Labs‘ SSL Test to verify if HSTS is enabled on your server. This tool will show the HSTS status along with additional details about your SSL/TLS configuration.
- Verify Redirects Using cURL
Run the following command:
# curl -I http://itsatestsite.online Expected output:
HTTP/1.1 301 Moved Permanently
Location: https://itsatestsite.online- Check HSTS Preload Submission
Go to hstspreload.org and verify if your domain is listed.
Troubleshooting HSTS Preload Issues
If submission fails or HSTS doesn’t work:
- Ensure the preload directive is added to the HSTS header.
- Verify that all subdomains are redirected to HTTPS.
- Re-check hstspreload.org and CertPanel SSL Monitor for misconfigurations.
Conclusion
HSTS Preload strengthens security by forcing browsers to enforce HTTPS from the first connection. Using tools like hstspreload.org for submission and CertPanel SSL Monitor for validation ensures proper implementation. Following the server-specific steps outlined here, along with additional verification methods, will help you maintain a secure web presence.