Streaming live at 10am (PST)

How do I add Strict-Transport-Security?

I have ‘Use secure frame headers’ enabled in the website settings, but when the website is tested, the results come back with 3 missing Security Headers.

Thanks

2 Likes

same thing for me

1 Like

Same… I would love to fix that

Same here.

Missing Headers

  • Strict-Transport-Security - HTTP Strict Transport Security is an excellent feature to support on your site and strengthens your implementation of TLS by getting the User Agent to enforce the use of HTTPS. Recommended value “Strict-Transport-Security: max-age=31536000; includeSubDomains”.

  • X-Content-Type-Options - X-Content-Type-Options stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. The only valid value for this header is “X-Content-Type-Options: nosniff”.

    • Referrer-Policy *- Referrer Policy is a new header that allows a site to control how much information the browser includes with navigations away from a document and should be set by all sites.

I had a good conversation with Webflow staff the other day about this, copied here:

Jon Reese
I’m losing clients who want to use Webflow but who are running SecurityScorecard reports which mandates HTTP Strict Transport Security ( HSTS ).They are Webflow fans and would love an excuse not to worry about the need to add HSTS headers to their site.We need to be able to tell them something.Here’s one of the conversations I’m having with a major client who’s site is built and hosted on Webflow, but who is having to consider alternate website builders and hosts based on this one HSTS issue. We just need a response from Webflow that will help us keep them on Webflow.

Here’s what my client wrote:

The second biggest hurdle is hts_incorrect. Here are more details:
HTTP Strict Transport Security is an HTTP header that instructs clients (e.g., web browsers) to only connect to a website over encrypted HTTPS connections. Clients that respect this header will automatically upgrade all connection attempts from HTTP to HTTPS. After a client receives the HSTS header upon its first website visit, future connections to that website are protected against Man-in-the-Middle attacks that attempt to downgrade to an unencrypted HTTP connection. The browser will expire the HTTP Strict Transport Security header after the number of seconds configured in the max-age attribute.
RISK
Even if a website is protected with HTTPS, most browsers will still try first to connect to the HTTP version of the website unless explicitly specified. At that moment, visitors to the website are vulnerable to a man-in-the-middle attacker that can prevent them from reaching the HTTPS version of the website they intended to visit and instead divert them to a malicious website. The (expand) HSTS header ensures that, after a user’s initial visit to the website, that they will not be susceptible to this man-in-the-middle attack because they will immediately connect to the HTTPS-protected website.
RECOMMENDATION
Every web application (and any URLs traversed to arrive at the website via redirects) should set the HSTS header to remain in effect for at least 12 months (31536000 seconds). It is also recommended to set the ‘includeSubDomains’ directive so that requests to subdomains are also automatically upgraded to HTTPS. An acceptable HSTS header would declare: Strict-Transport-Security: max-age=31536000; includeSubDomains;
REFERENCES
HTTP Strict Transport Security Cheat Sheet CheatSheetSeries/HTTP_Strict_Transport_Security_Cheat_Sheet.md at master · OWASP/CheatSheetSeries · GitHub

Barrett Johnson

We have an entry level “Enterprise Lite” site plan that offers custom HSTS security headers. Ethan Lewis can jump in to provide more info

Jon Reese

One of my clients did reach out and found out about that, but the $15,000/yr was cost-prohibitive to them.

But as evangelists and Webflow Experts ourselves, we’d love to know more about HSTS as it relates directly to Webflow’s architecture . I just need talking points when discussing the point with clients or IT departments.

Ethan Lewis

Hey Jon, working with our team to get you an answer here. I believe as Barrett mentioned it’s only offered on Enterprise or Lite but double checking and getting exact cost idea of what that would be.

Just to confirm, HSTS is only available on our highest Enterprise Lite or full Enterprise platform (ENT Lite starts at $15k/year). From a packaging standpoint, that’s the only option that we have unfortunately.

Megan Wallace to fill in the questions about “We’d love to know more about HSTS as it relates directly to Webflow’s architecture . I just need talking points when discussing the point with clients or IT departments.”

Megan Wallace

Hi @jonreese.com, re: talking points for HSTS, we don’t have any that specifically relate to Webflow’s architecture, as it’s just a standard website method that we provide access to through Enterprise & level 4 of Enterprise Lite, but here’s an article that will hopefully provide the information you’re looking for: https://www.acunetix.com/blog/articles/what-is-hsts-why-use-it/If you need more info or have any specific questions around this that I can answer, please let me know. Thank you!

Jon Reese

Thanks so much Megan Wallace! Truly appreciate the talking points. One final question: What is keeping Webflow from moving 100% to https, to take advantage of the security an HSTS policy offers?

I’ll update this thread when I get a response to that final question, but it’s likely they won’t be able to do that for a while, as @webdev predicts/explains here.

3 Likes

@jonreese Did you ever get an answer to your last question?: “What is keeping Webflow from moving 100% to https, to take advantage of the security an HSTS policy offers?” And was the answer “money”?

This seems as shortsighted as charging $15K for an SSL cert back in the early aughts when they were gaining traction and becoming standard. Webflow sites already have SSL certs and redirects from http to https, so it’s just a header directive. A line of code. For fifteen thousand dollars. Sorry, starting at fifteen thousand dollars. Am I missing something?

The shared infrastructure problem… you can’t set policy A for 1 website and policy B for another website at the same time on the same host. If you really need to use a specific profile e.g. only use certain ciphers or HSTS then I would use a proxy if you can’t move to dedicated host.

Possible workaround in a managed environment you could enforce a policy in the users browser to use https connections only.

I understand the same server can’t serve two different policies, but couldn’t Webflow simply implement HSTS globally? Or make it optional and split servers into separate clusters. You opt-in to HSTS and wait 24 hours for migration to an HSTS cluster.

Yes, it would be great if they provided an option. Having separate clusters might address several issues HSTS included. Probably not as simple as it seems to have HSTS on by default globally, we might both need HSTS yet with different parameters.