Streaming live at 10am (PST)

HSTS - can we set this? How and where

A couple of website testers suggest that my website is not meeting best security practices.
They say to prevent SSL stripping (wifi hotspot attacks) I should disable any initial contact via http.
The code or setting is

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Does anyone know or actually use this?

It’s not a choice you can enable with Webflow hosting.

1 Like

Ow, that’s a shame, maybe they should include it automatically or have a slider option.

Webflow allows HTTP sites. Until they force everything to HTTPS this is not going to happen. There are probably to many legacy sites hosted that would require user modification to make the transition (DNS changes). I am only speculating on what holds them back. This is probably a NO GO with everything else going on.

We’ve just had a client query this as well as a result of a security report telling them that the site has a security weakness - ‘HTTP Strict Transport Security (HSTS) not strictly enforced for domain-######’

I hope Webflow consider this to be an issue that will be high on the dealbreaking criteria for potential clients as to whether or not to take a project on in Webflow. I imagine for ecommerce sites it’ll be even more of a concern. Fingers crossed it gets addressed sooner rather than later.

I see it is mentioned on the Wishlist here Support HSTS | Webflow Wishlist

1 Like