HTTP Strict Transport Security (HSTS) Implementation

Rackspace will be implementing HTTP Strict Transport Security (HSTS) to the Cloud Sites infrastructure on August 1, 2016. This security upgrade only applies to HTTPS sites. HSTS significantly improves website security, ensuring redirects are protected from information capture by attackers and protects from malicious redirects to phishing sites.

All Laughing Squid Web Hosting customers using SSL for their sites will need to resolve any mixed content warnings on their sites by August 1st to avoid down time. More information on what mixed content is and how to verify and correct it is available here:

https://developers.google.com/web/fundamentals/security/prevent-mixed-content/what-is-mixed-content?hl=en

To test changes prior to the implementation, put this line in the top of your .htaccess file:

Header Set Strict-Transport-Security "max-age=90"

This will cause HSTS to be strictly enforced on the site for up to 90 seconds, enough time to prevent the site from caching the enforcement while still allowing changes to any page(s) if needed. On August 1st, Rackspace will set the enforcement time to 180 days, which is the full implementation recommendation. After this any mixed content sites will be unable to serve content properly.

If you have issues with the new HSTS implementation, please contact us through the Help Desk.