Synology: What Does HSTS Mean in Web Station?

Synology What Does HSTS Mean in Web Station

HTTP Strict Transport Security (HSTS) is a web security policy mechanism that helps to protect websites against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking. It allows web servers, in this case Synology NAS devices, to declare that web browsers (or other complying user agents) should automatically interact with them using only HTTPS connections, which provide Transport Layer Security (TLS/SSL), unlike the insecure HTTP used alone. The HSTS Policy is communicated by the server to the user agent via an HTTPS response header field named “Strict-Transport-Security”.

For example, enabling HSTS in Web Station / Virtual Host settings means that, if a browser has connected using HTTPS secure connection to a certain host once, said browser will only use HTTPS to connect to the host from that moment on, not HTTP.

Once you set up HSTS, the configuration will be stored inside the user browser (e.g. Chrome), and it is valid for 6 months’ time. For some browsers clearing cache or deleting cookies will remove the secure flag for the host. However, for other browsers (like Safari, for example) the removal process might be even more complicated and issues may occur.

Should I Enable HSTS on my WordPress Website hosted on Synology NAS? From personal experience, I do not recommend using this option. If this option remains active, and you encounter problems with your SSL certificate at some point in time, or port-forwarding issues on your router, you will not be able to connect using HTTP. Without an SSL certificate, the following error message will appear in Chrome or other browsers everytime you may try to connect to your domain: Your Connection is not Private. Websites using HSTS often do not accept clear text HTTP, either by rejecting connections over HTTP or systematically redirecting users to HTTPS (though this is not required by the specification). The consequence of this is that a user-agent not capable of doing TLS will not be able to connect to the site.

No HSTS

HSTS is an extra security measure for you and your website, but I say use it only if you are an experienced user. If you are just beginning your journey with WordPress and hosting from home on a Synology NAS, expect there will be issues at some point or another if you are using HSTS.

This post was updated on Thursday / May 28th, 2020 at 11:51 PM