HSTS - can we set this? How and where

A couple of website testers suggest that my website is not meeting best security practices.
They say to prevent SSL stripping (wifi hotspot attacks) I should disable any initial contact via http.
The code or setting is

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Does anyone know or actually use this?

1 Like

It’s not a choice you can enable with Webflow hosting.

1 Like

Ow, that’s a shame, maybe they should include it automatically or have a slider option.

Webflow allows HTTP sites. Until they force everything to HTTPS this is not going to happen. There are probably to many legacy sites hosted that would require user modification to make the transition (DNS changes). I am only speculating on what holds them back. This is probably a NO GO with everything else going on.

1 Like

We’ve just had a client query this as well as a result of a security report telling them that the site has a security weakness - ‘HTTP Strict Transport Security (HSTS) not strictly enforced for domain-######’

I hope Webflow consider this to be an issue that will be high on the dealbreaking criteria for potential clients as to whether or not to take a project on in Webflow. I imagine for ecommerce sites it’ll be even more of a concern. Fingers crossed it gets addressed sooner rather than later.

I see it is mentioned on the Wishlist here Support HSTS | Webflow Wishlist

1 Like

I’m looking for a solution for HSTS as well. I just launched the site last week and my SEO ranking is really low. I ran an audit on SEMrush and they recommended me to use a server that supports HSTS. I wish there was at least an option from webflow to allow this. Would appreciate it if anyone has any workaround on this.

HSTS is a header that you send in an existing HTTPS request, it is only valid in an HTTPS request and not in HTTP.
As such, even if you send it on HTTP requests the client should ignore it.
This leaves the HTTPS connections, and it should be a choice per domainname, enabled by default. (again since the connection is https, it will most likely continue to be https)

Lack of HSTS when requested is simply unacceptable for any reputable site or producer.

Yes, I understand that. Since I don’t work for Webflow and have no crystal ball that allows me insight into internal devops I can only speculate as I had done, as to why they had not.

Feel free to open a ticket with Webflow. You could also bring this up as a question for the next community conference.

1 Like
   Does anyone have an update on adding the HSTS header?   I really don't want to recommend moving to another provider because Webflow is forcing a huge upgrade for a simple header.  We are already HTTPS only website. Thanks, Jacob
1 Like

Seems like a missing must-have!

Bumping this because it’s still an issue

Has anybody found a workaround for this yet?

@Jack_Storment - You could upgrade to enterprise, self host, or use a reverse proxy where HSTS is supported.