I had a good conversation with Webflow staff the other day about this, copied here:
Jon Reese
I’m losing clients who want to use Webflow but who are running SecurityScorecard reports which mandates HTTP Strict Transport Security ( HSTS ).They are Webflow fans and would love an excuse not to worry about the need to add HSTS headers to their site.We need to be able to tell them something.Here’s one of the conversations I’m having with a major client who’s site is built and hosted on Webflow, but who is having to consider alternate website builders and hosts based on this one HSTS issue. We just need a response from Webflow that will help us keep them on Webflow.
Here’s what my client wrote:
The second biggest hurdle is hts_incorrect. Here are more details:
HTTP Strict Transport Security is an HTTP header that instructs clients (e.g., web browsers) to only connect to a website over encrypted HTTPS connections. Clients that respect this header will automatically upgrade all connection attempts from HTTP to HTTPS. After a client receives the HSTS header upon its first website visit, future connections to that website are protected against Man-in-the-Middle attacks that attempt to downgrade to an unencrypted HTTP connection. The browser will expire the HTTP Strict Transport Security header after the number of seconds configured in the max-age attribute.
RISK
Even if a website is protected with HTTPS, most browsers will still try first to connect to the HTTP version of the website unless explicitly specified. At that moment, visitors to the website are vulnerable to a man-in-the-middle attacker that can prevent them from reaching the HTTPS version of the website they intended to visit and instead divert them to a malicious website. The (expand) HSTS header ensures that, after a user’s initial visit to the website, that they will not be susceptible to this man-in-the-middle attack because they will immediately connect to the HTTPS-protected website.
RECOMMENDATION
Every web application (and any URLs traversed to arrive at the website via redirects) should set the HSTS header to remain in effect for at least 12 months (31536000 seconds). It is also recommended to set the ‘includeSubDomains’ directive so that requests to subdomains are also automatically upgraded to HTTPS. An acceptable HSTS header would declare: Strict-Transport-Security: max-age=31536000; includeSubDomains;
REFERENCES
HTTP Strict Transport Security Cheat Sheet https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.md
Barrett Johnson
We have an entry level “Enterprise Lite” site plan that offers custom HSTS security headers. Ethan Lewis can jump in to provide more info
Jon Reese
One of my clients did reach out and found out about that, but the $15,000/yr was cost-prohibitive to them.
But as evangelists and Webflow Experts ourselves, we’d love to know more about HSTS as it relates directly to Webflow’s architecture . I just need talking points when discussing the point with clients or IT departments.
…
Ethan Lewis
Hey Jon, working with our team to get you an answer here. I believe as Barrett mentioned it’s only offered on Enterprise or Lite but double checking and getting exact cost idea of what that would be.
Just to confirm, HSTS is only available on our highest Enterprise Lite or full Enterprise platform (ENT Lite starts at $15k/year). From a packaging standpoint, that’s the only option that we have unfortunately.
Megan Wallace to fill in the questions about “We’d love to know more about HSTS as it relates directly to Webflow’s architecture . I just need talking points when discussing the point with clients or IT departments.”
Megan Wallace
Hi @jonreese.com, re: talking points for HSTS, we don’t have any that specifically relate to Webflow’s architecture, as it’s just a standard website method that we provide access to through Enterprise & level 4 of Enterprise Lite, but here’s an article that will hopefully provide the information you’re looking for: https://www.acunetix.com/blog/articles/what-is-hsts-why-use-it/If you need more info or have any specific questions around this that I can answer, please let me know. Thank you!
Jon Reese
Thanks so much Megan Wallace! Truly appreciate the talking points. One final question: What is keeping Webflow from moving 100% to https, to take advantage of the security an HSTS policy offers?
I’ll update this thread when I get a response to that final question, but it’s likely they won’t be able to do that for a while, as @webdev predicts/explains here.