A couple of website testers suggest that my website is not meeting best security practices.
They say to prevent SSL stripping (wifi hotspot attacks) I should disable any initial contact via http.
The code or setting is
Webflow allows HTTP sites. Until they force everything to HTTPS this is not going to happen. There are probably to many legacy sites hosted that would require user modification to make the transition (DNS changes). I am only speculating on what holds them back. This is probably a NO GO with everything else going on.
We’ve just had a client query this as well as a result of a security report telling them that the site has a security weakness - ‘HTTP Strict Transport Security (HSTS) not strictly enforced for domain-######’
I hope Webflow consider this to be an issue that will be high on the dealbreaking criteria for potential clients as to whether or not to take a project on in Webflow. I imagine for ecommerce sites it’ll be even more of a concern. Fingers crossed it gets addressed sooner rather than later.
I’m looking for a solution for HSTS as well. I just launched the site last week and my SEO ranking is really low. I ran an audit on SEMrush and they recommended me to use a server that supports HSTS. I wish there was at least an option from webflow to allow this. Would appreciate it if anyone has any workaround on this.
HSTS is a header that you send in an existing HTTPS request, it is only valid in an HTTPS request and not in HTTP.
As such, even if you send it on HTTP requests the client should ignore it.
This leaves the HTTPS connections, and it should be a choice per domainname, enabled by default. (again since the connection is https, it will most likely continue to be https)
Lack of HSTS when requested is simply unacceptable for any reputable site or producer.
Does anyone have an update on adding the HSTS header? I really don't want to recommend moving to another provider because Webflow is forcing a huge upgrade for a simple header. We are already HTTPS only website. Thanks, Jacob