A couple of website testers suggest that my website is not meeting best security practices.
They say to prevent SSL stripping (wifi hotspot attacks) I should disable any initial contact via http.
The code or setting is
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Does anyone know or actually use this?
It’s not a choice you can enable with Webflow hosting.
Ow, that’s a shame, maybe they should include it automatically or have a slider option.
Webflow allows HTTP sites. Until they force everything to HTTPS this is not going to happen. There are probably to many legacy sites hosted that would require user modification to make the transition (DNS changes). I am only speculating on what holds them back. This is probably a NO GO with everything else going on.
We’ve just had a client query this as well as a result of a security report telling them that the site has a security weakness - ‘HTTP Strict Transport Security (HSTS) not strictly enforced for domain-######’
I hope Webflow consider this to be an issue that will be high on the dealbreaking criteria for potential clients as to whether or not to take a project on in Webflow. I imagine for ecommerce sites it’ll be even more of a concern. Fingers crossed it gets addressed sooner rather than later.
I see it is mentioned on the Wishlist here Support HSTS | Webflow Wishlist
I’m looking for a solution for HSTS as well. I just launched the site last week and my SEO ranking is really low. I ran an audit on SEMrush and they recommended me to use a server that supports HSTS. I wish there was at least an option from webflow to allow this. Would appreciate it if anyone has any workaround on this.
HSTS is a header that you send in an existing HTTPS request, it is only valid in an HTTPS request and not in HTTP.
As such, even if you send it on HTTP requests the client should ignore it.
This leaves the HTTPS connections, and it should be a choice per domainname, enabled by default. (again since the connection is https, it will most likely continue to be https)
Lack of HSTS when requested is simply unacceptable for any reputable site or producer.
Yes, I understand that. Since I don’t work for Webflow and have no crystal ball that allows me insight into internal devops I can only speculate as I had done, as to why they had not.
Feel free to open a ticket with Webflow. You could also bring this up as a question for the next community conference.
Does anyone have an update on adding the HSTS header? I really don't want to recommend moving to another provider because Webflow is forcing a huge upgrade for a simple header. We are already HTTPS only website. Thanks, Jacob
Seems like a missing must-have!
Has anybody found a workaround for this yet?
@Jack_Storment - You could upgrade to enterprise, self host, or use a reverse proxy where HSTS is supported.
I found this article but somehow my webflow project doesn’t show the toggle button as they say, does anyone know why?
I am using custom domain so it should be eligible.
@koya_m - Requires an enterprise plan as described in the post previous to yours.
We’ve actually had to move clients away from Webflow and to other platforms like Netlify who provide HSTS in their base plans, as Webflow is choosing to make a cash grab and upcharge users roughly $10k for access to an industry standard security feature.