How To Fix the “HSTS Missing From HTTPS Server” Error (in 5 Steps)
How To Fix the “HSTS Missing From HTTPS Server” Error (in 5 Steps)
Any site that redirects from HTTP to HTTPS is vulnerable to this exploit… which means it’s wise to take a proactive approach and fix this flaw. 💪
👉 Subscribe: https://www.youtube.com/c/Kinsta?sub_…
It’s widely accepted that HTTPS is far more secure than HTTP. However, if you’re encountering the “HSTS missing from HTTPS server” message, then this protocol could be putting your site at risk.
Fortunately, it is possible to close this serious security loophole. Even if you haven’t encountered this error message, any site that redirects from HTTP to HTTPS is vulnerable to this exploit. Therefore, it’s still wise to take a proactive approach and fix this flaw.
In this video, we’ll explore what the “HSTS missing from HTTP server” error is and why it’s such a huge concern for any website that uses HTTPS redirects. We’ll then show you how to fix this problem and foil the hackers, in five easy steps.
ℹ️ About Kinsta
Kinsta is an award-winning Cloud Platform designed to host and manage your WordPress sites, Applications, and Databases faster and more efficiently. Trusted by 25,000+ companies worldwide, from developers, startups, and agencies, to multinational brands, we guarantee lighting-fast performance, enterprise-level security, ease of use, and exceptional support.
🚀 Try our flagship Managed WordPress Hosting plans and get $240/month worth of premium features included in every plan. That’s free unlimited migrations, 20% faster load times thanks to Google’s fastest servers and Premium Tier network backed by Cloudflare’s 275+ CDN locations worldwide, and 24/7/365 multilingual technical support from humans in less than 2 minutes.
👉 Try risk-free with our 30-day money-back guarantee Powerful Managed WordPress Hosting
👤Follow us:
► https://kinsta.com/blog/
► https://kinsta.com/newsletter/
► https://twitter.com/kinsta
► https://instagram.com/kinstahosting
► https://facebook.com/kinstahosting
💡Discover all of our hosting solutions ► https://kinsta.com/
🕘Timestamps
0:00 Intro
1:00 The HSTS Protocol (and Why You May Want to Use It)
2:29 How To Fix the “HSTS Missing From HTTP Server” Error
2:47 Create a Manual Backup
3:28 Set Up an HTTP to HTTPS Redirect
4:45 Add the HSTS Header
5:28 Submit Your Site To the HSTS Preload List
6:44 Verify Your Strict-Transport-Security Header
📚 Resources
🛠 How To Fix the “HSTS Missing From HTTP Server” Error
► https://kinsta.com/knowledgebase/hsts…
🛠 Redirect all of your HTTP traffic to HTTPS - Nginx Server
► https://www.cloudbooklet.com/nginx-re…
#HSTS
Content
0 -> Hey there I'm Mike,
0.86 -> and today I'm going to show you how to fix the HSTS missing
4.4 -> From HTTPS Server Error.
6.897 -> (upbeat music)
12.3 -> It's widely accepted
13.36 -> that HTTPS is far more secure than HTTP.
17.01 -> However, if you're encountering the HSTS missing
19.99 -> from HTTPS server message,
22.46 -> then this protocol could be putting your site at risk.
24.91 -> Fortunately, it is possible
26.65 -> to close this serious security loophole.
29.11 -> Even if you haven't encountered this error message,
31.52 -> any site that redirects from HTTP to HTTPS
35.07 -> is vulnerable to this exploit.
37.01 -> Therefore, it is still wise to take a proactive approach
40.3 -> and fix this flaw.
41.28 -> In this video, we'll show you how to fix this problem
43.85 -> and foil the hackers in five easy steps.
46.67 -> But before we get too far,
48.09 -> I wanna let you know that there'll be links
49.41 -> to more resources in the video's description
51.51 -> and remember subscribe and ring that bell
53.44 -> to get notifications for future helpful content.
55.96 -> Now, what is the HSTS protocol?
63.9 -> HSTS is a server directive and web security policy.
67.66 -> Specified by the internet engineering task force,
70.22 -> HSTS sets regulations for how user agents and web browsers
74.17 -> should handle their connections
75.77 -> for a site running over HTTPS.
78.11 -> Sometimes, an it security scan might report
80.67 -> that your site is missing HSTS
82.65 -> or HTTP strict transport security headers.
86.26 -> If you encounter this error,
87.64 -> then your site isn't using HSTS,
89.71 -> which means your HTTPS redirects
92.34 -> may be putting your visitors at risk.
94.15 -> This is class as a medium risk vulnerability.
96.95 -> However, it's incredibly common
98.75 -> and represents low hanging fruit for attackers.
101.46 -> If you encounter this error,
102.87 -> then it's crucial you address it.
104.17 -> By addressing the HSTS security header
106.32 -> to your server,
107.26 -> you can force your site to load on the HTTPS protocol.
111.01 -> This can help protect your site against cookie hijacking
113.57 -> and protocol attacks.
114.81 -> Since you're potentially removing a redirect
116.71 -> from the loading procedure, your site may also load faster.
120.31 -> There's a chance you may not have encountered this error
122.49 -> but are still concerned about HSTS.
124.65 -> If you're unsure whether you have HSTS enabled,
127.12 -> you can scan your site using a tool
128.77 -> such as security headers.
130.3 -> Simply enter your website's URL,
132.24 -> and then click on Scan.
133.64 -> Security headers will check your site
135.26 -> and display all of the applied headers
137.2 -> in the headers section.
138.68 -> If strict transport security makes an appearance,
141.46 -> then your site is protected.
142.98 -> However, if this header isn't listed,
145.26 -> then we have some work to do.
151.67 -> For hackers,
152.503 -> the HSTS vulnerability is the perfect opportunity
155.02 -> to steal data or trick your visitors
157.07 -> into performing dangerous actions.
158.68 -> Here's how to enable HSTS policy and keep your site safe.
162.52 -> Enabling the HSTS policy represents a significant change
165.82 -> to your website.
166.87 -> For this reason,
167.71 -> we recommend creating an on-demand backup before proceeding.
170.69 -> This gives you the option to restore your site
172.69 -> in the unlikely event that you encounter any issues
175.19 -> when enabling HSTS.
176.8 -> At Kinsta, we provide daily automatic WordPress backups.
180.3 -> However, it's still smart to create a manual backup
182.81 -> before making any major changes.
184.83 -> To create this safety net,
186.01 -> log into MyKinsta dashboard,
187.83 -> and select the website in question
189.72 -> then click on the Backups tab.
191.66 -> Next, select the manual tab, find the Backup now button
195.46 -> and then give it a click.
196.54 -> You can now add a short note to your backup.
199.04 -> This can help you identify it in your MyKinsta dashboard.
201.96 -> Finally, click on create backup.
204.1 -> We'll now generate your backup,
205.41 -> and add it to your dashboard.
206.68 -> Before enabling the HSTS policy,
208.87 -> you'll need to deploy an SSL certificate to your website.
212.27 -> At Kinsta, we automatically protect all verified domains
215.36 -> with our CloudFlare integration.
217.32 -> This includes free SSL certificates with wildcard support.
220.41 -> If you specifically require a custom certificate,
223.06 -> you won't have to worry about configuring SSL manually.
225.76 -> Next, you'll need to set up an HTTP to HTTPS redirect,
229.71 -> if you haven't already.
230.64 -> To create this redirection,
231.82 -> simply log into your MyKinsta dashboard
233.81 -> and select your website.
235.12 -> Next, click on Tools;
236.73 -> in the force HTTPS section,
239.04 -> click on the Enable button.
240.57 -> You can now choose to use your primary domain
242.66 -> as a destination or request to use an alternative domain.
246.1 -> After making this decision, select Force HTTPS.
249.66 -> Just be aware,
250.8 -> that if you use any third party proxies
252.79 -> or set up any custom HTTPS rules,
255.47 -> then forcing HTTPS may result in errors
258.35 -> or other strange behavior.
260.03 -> If you do encounter any issues,
261.66 -> you can always contact our support team
263.46 -> who are happy to help.
264.68 -> If your web server is running Nginx,
266.71 -> then you can redirect all of your HTTP traffic to HTTPS.
270.64 -> Simply add the following code
272.07 -> to your Nginx configuration file.
274.37 -> Alternatively, if you're a Kinsta customer,
276.62 -> then we can make this change for you.
278.46 -> Just open a support ticket
279.79 -> and let us know which domain needs to be directed
282.18 -> and will handle the rest.
283.48 -> There are various types of directives and levels
285.36 -> of security that you can apply to your HSTS header.
288.51 -> However, we recommend using the max age directive
291.77 -> as this defines the time in seconds
293.79 -> for which the web server should deliver via HTTPS.
297.34 -> This blocks access to pages
299.07 -> or sub domains that can only be served over HTTP.
302.11 -> If you're using an Apache server
303.78 -> you'll need to open your visual host file.
306.03 -> You can then add the following.
308.1 -> At Kinsta, we run Nginx servers.
310.4 -> If you're a Kinsta customer, then you can add the following
312.88 -> to your Nginx configuration file.
315.95 -> As always, we can do all of the hard work for you.
318.67 -> Simply open up a support ticket,
320.18 -> requesting that we add an HSTS header to your site.
323.67 -> Our team will be happy to make this change for you.
325.86 -> There is one major downside to the HSTS policy.
329.15 -> A browser has to encounter the HSTS header,
331.93 -> at least once before it can be used for future visits.
335.14 -> This means your audience will need
336.69 -> to complete the HTTP to HTTPS redirection process
340.44 -> at least once.
341.3 -> During this time,
342.37 -> they will be vulnerable to protocol based attacks.
345 -> In an attempt to close the security loophole,
347.41 -> Google created the HSTS preload list.
350.45 -> This lists all of the websites that support HSTS
353.59 -> which is then hard coded into Chrome.
355.44 -> By adding your site to this list,
357.15 -> visitors will no longer have to
358.56 -> complete an initial HSTS redirection.
361.55 -> Most of the major internet browsers
363.16 -> have their own HSTS preload list,
365.59 -> which are based on Chrome's list.
367.39 -> To be eligible for this list,
368.96 -> your site must meet the submission criteria.
371.18 -> The good news is that we've already covered
372.96 -> all of these requirements so you can go ahead
375.17 -> and submit your site to the HSTS preload list.
378.1 -> Once you make it onto this list,
379.63 -> some SEO tools may warn you about 307 redirects.
383.58 -> These redirects occur when someone attempts
385.78 -> to access your site via an unsecured HTTP protocol.
388.98 -> This triggers a 307 redirect
391.15 -> instead of a permanent 301 redirect.
393.54 -> If you're concerned about this,
394.92 -> you can use HTTP status to scan your site
397.65 -> and verify whether a 301 redirect is occurring.
400.64 -> After adding the HSTS header,
402.66 -> it's a good idea to test that it's functioning correctly.
405.24 -> You can perform this check
407.247 -> using your browsers built-in web tools.
408.52 -> The steps will vary depending on your chosen web browser.
411.17 -> To perform this check in Google Chrome DevTools,
413.95 -> navigate to the webpage that you want to test.
416.38 -> You can then click on any blank area and select Inspect.
419.69 -> In the subsequent panel, select the network tab.
422.57 -> You can then check the header section
424.35 -> which should contain the following.
425.78 -> Alternatively, you can scan your site
427.88 -> using the security headers tool.
429.45 -> As I said before,
430.48 -> simply enter your website's URL and then click on Scan.
434.24 -> This will return a security report
436.17 -> which should contain a strict transport security tag.
439.39 -> If this tag is present,
440.67 -> then your HSTS header is now set up correctly
443.47 -> and you've successfully closed the HTTPS redirect loophole.
448.71 -> An unsecured website puts your customers
450.94 -> and reputation at risk.
452.6 -> With Kinsta CloudFlare integration,
454.55 -> all the security features you need are built right
456.87 -> into your plan at no additional cost.
459.23 -> That's a monthly savings of around $200 per site.
462.55 -> Learn more about these benefits, including DDoS protection,
465.82 -> a more secure firewall
467.1 -> and more at kinsta.com/cloudflare-integration.
471.28 -> Thank you so much for watching,
472.61 -> and if you found this video helpful,
474.05 -> please don't forget to like, subscribe
475.83 -> and hit the notification bell
476.94 -> for more tutorials, explainers
478.66 -> and helpful content like this.
480.383 -> (upbeat music)
Source: https://www.youtube.com/watch?v=Jx5NEOI_TPw