A couple of website testers suggest that my website is not meeting best security practices.
They say to prevent SSL stripping (wifi hotspot attacks) I should disable any initial contact via http.
The code or setting is
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Does anyone know or actually use this?
It’s not a choice you can enable with Webflow hosting.
Ow, that’s a shame, maybe they should include it automatically or have a slider option.
Webflow allows HTTP sites. Until they force everything to HTTPS this is not going to happen. There are probably to many legacy sites hosted that would require user modification to make the transition (DNS changes). I am only speculating on what holds them back. This is probably a NO GO with everything else going on.
We’ve just had a client query this as well as a result of a security report telling them that the site has a security weakness - ‘HTTP Strict Transport Security (HSTS) not strictly enforced for domain-######’
I hope Webflow consider this to be an issue that will be high on the dealbreaking criteria for potential clients as to whether or not to take a project on in Webflow. I imagine for ecommerce sites it’ll be even more of a concern. Fingers crossed it gets addressed sooner rather than later.
I see it is mentioned on the Wishlist here Support HSTS | Webflow Wishlist
I’m looking for a solution for HSTS as well. I just launched the site last week and my SEO ranking is really low. I ran an audit on SEMrush and they recommended me to use a server that supports HSTS. I wish there was at least an option from webflow to allow this. Would appreciate it if anyone has any workaround on this.
HSTS is a header that you send in an existing HTTPS request, it is only valid in an HTTPS request and not in HTTP.
As such, even if you send it on HTTP requests the client should ignore it.
This leaves the HTTPS connections, and it should be a choice per domainname, enabled by default. (again since the connection is https, it will most likely continue to be https)
Lack of HSTS when requested is simply unacceptable for any reputable site or producer.
Yes, I understand that. Since I don’t work for Webflow and have no crystal ball that allows me insight into internal devops I can only speculate as I had done, as to why they had not.
Feel free to open a ticket with Webflow. You could also bring this up as a question for the next community conference.
Does anyone have an update on adding the HSTS header? I really don't want to recommend moving to another provider because Webflow is forcing a huge upgrade for a simple header. We are already HTTPS only website. Thanks, Jacob
@Jacob_Stanton You may look into this solution that exports your page to an different location. From there, you can setup any headers you like and you don’t need any big upgrade.