Prerequisites for Namecheap Shared hosting to enable HSTS
Before any Namecheap Shared Hosting customer can enable HSTS Policy in cPanel account for a particular website, there is a list of requirements, not performing the most part of which will drive to a failure of attempting to enable HSTS. The list is rather small and contains the points that are not so difficult to implement:
- An SSL certificate is installed. The website must have a valid SSL Certificate installed for the domain name in question. It must be issued by any trusted Certificate Authority and have a valid expiration date. If the website deployment model implies creating subdomains, which are also required to be secured with an SSL certificate and HSTS Policy, then a valid SSL certificate, or a few of them, depending on whether it is a bunch of single-domain certificates, a wildcard or a multi-domain one, must secure both main domain name and the subdomains in question. The installation of the certificate on the server must contain the end-entity certificate (the one that was issued for the domain name) and a chain of CA certificates (CA bundle). There are no special restrictions regarding the certificate types or particular CAs, which must be chosen in order to have HSTS enabled. The main condition is that the installed certificate does not cause any errors or warnings during HTTPS connection.
- HTTPS redirection is enabled. A Strict-Transport-Security header cannot be sent back in a response to HTTP request over plain HTTP by its design. Therefore, an automatic redirection from HTTP to HTTPS must be set for the domain name so that if one is attempting to access “http://example.com”, he/she gets redirected to “https://example.com”. Namecheap Shared Hosting customers can enable such redirection by creating a corresponding rewrite rule in .htaccess file in cPanel.
- The issue of “mixed content” is resolved. Since the most recent web browsers versions started to warn visitors that a given website has unencrypted elements within the source code, it is highly recommended to switch all related external hyperlinks to HTTPS in order to avoid a possible HSTS failure due to “mixed content” security warnings.
While browsing over the Internet, you may find warnings about particular websites concerning “obsolete cryptography”. Those warnings can be met if a web server is using specific protocols, ciphers and key exchange mechanisms, which are considered as vulnerable for attacking and should be disabled on the server. All of such attacking possibilities were preliminary disabled on Namecheap hosting servers and anyone can check the score of a particular website hosted with Namecheap by running a test here.