This website is undergoing some big updates.
As I have been learning and moving on with my personal growth, I am wanting to do more special projects.
As I have been getting down into it, I wanted to ensure my domain security… after I had moved my WordPress site to a Static Firebase website.
As I dived deeper into working on setting up the Strict-Transport-Security settings to preload, I learned that Firebase overwrites this particular setting. Guess what you can’t do from a Firebase website – get a website qualified for HSTSpreload.org.
Why do I care?
Well, for one I care about my own website security and the abilities of the ne’er do wells to interject themselves to precarious points.
Secondly, as an empathic designer/developer, the experience I provide my users is important to me. I want their browsers to understand what I am providing and garner trust.
To this end, I am setting up so that
odden.io and it’s subdomains will always require HTTPS to be hosted.
HTTP Strict-Transport-Security – What?
This security mechanism helps to enforce that your website will not be downgraded to HTTP easily or allow your cookies to get hijacked. Specifically, this allows the server to tell a person’s browser to work in a secure manner and never allow an insecure connection.
I worked with my host, Kinsta, to setup the header response to set the dns time out for a distant time, and to announce it is ready to be considered for the preload list. It took a bit of time, but we found a setting on NGINX to allow for the preload directive.
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
NOTE: The preload had to be included inside the quotes unlike
The odden.io domain is again announcing it is HSTS status and am looking forward to it’s day it will be included in the preload list.
Testing and reviewing your domain status is great to show you areas your domain can improve its security directives. Following are some resources I found to be helpful:
Additional directives I learned also exist.
I am just getting into these, and found them through SecurityHeaders.com. Scott Helme (@Scott_Helme) has a lot of great information to read through.