As noted in my previous post, I’ve finally switched my domain to HTTPS. I was reluctant to enable HSTS (HTTP Strict Transport Security) at first but after looking at this talk, I’ve decided to just go with the flow and enable it on CloudFlare:
Basically it means that, as of right now, you’ll always use HTTPS when visiting my website, even if you try and visit the old HTTP URL. This will occur not only because my Apache server is configured to automatically redirect you to the HTTPS version, but because your browser will automatically go to the HTTPS URL. Why will it do that? Because my site is now sending the HSTS HTTP header:
strict-transport-security:max-age=15552000; includeSubDomains; preload
Basically that header tells your browser: This is an HTTPS enabled website, always use HTTPS if you come back here. Please do this for this domain and all sub-domains for the next six months..
For now, as my site isn’t in the browsers HSTS preload list yet (I’ve just submitted it), you may visit this site once more using plain HTTP but as soon as your browser will see the HSTS HTTP header it’ll remember to always switch to HTTPS.
Why does HSTS matter? Because it will protect YOU against man-in-the-middle attacks.. not that this Website is sensitive in any way, but as a good Web citizen I have to do what I can, right? ;-)
I was hesitant to enable this because I’ve just signed up with CloudFlare and if they decide to drop their free subscription plan then it means that I’ll be forced to find either another similar solution or buy a certificate that I can install on my web host; in my case OVH doesn’t allow importing third party certificates and they charge about 50€ per year for that (which is wayyyyyyyy too much for a personal website).
The bet that I’m making by enabling HSTS now is simply that the free subscription model of CloudFlare will remain available for at least 2-3 years (hopefully much longer) and that in the meantime, given how Mozilla, Google major players and others are pushing for HTTPS everywhere, the overall accessibility/affordability of HTTPS for personal websites will have improved. If I’m wrong well then I’ll either pay if you show me enough love or shut this thing down ;-)