4.1.11 Ensure your domain is preloaded

Information

Preloading your domain hardcodes it as only being accessible through HTTPS by browsers.

Note: Preloading should only be done with careful consideration! Your website and all its subdomains will be forced over HTTPS. If your website or any of its subdomains are not able to support preloading, you should not preload your site. Preloading should be opt-in only, and if done, may impact more sites than the nginx instance you are working on. Removing preloading can be slow and painful, and should only be done with careful consideration according to https://hstspreload.org.

Rationale:

Preloading your domain helps prevent HTTP downgrade attacks and increases trust.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

In order to successfully preload your website, you must meet the below criteria:

Serve a valid certificate.

This may be accomplished by following recommendation 4.1.2.

Redirect from HTTP to HTTPS if using port 80.

This may be accomplished by following recommendation 4.1.1.

Configure all subdomains to support HTTPS only.

This will require you to configure all subdomains for HTTPS only. For example, a subdomain of cissecurity.org is workbench.cissecurity.org and would need to be configured for HTTPS only.

Configure an HSTS header on your base domain, as shown below for nginx.

If your base domain is nginx, you may accomplish this with several modifications from the HSTS recommendation. Change your header to include the preload directive and the includesubdomains directive, and make your max-length one year or longer. The header should be modified similar to the below snippet.

add_header Strict-Transport-Security 'Strict-Transport-Security: max-age=31536000; includeSubDomains; preload';

After you have met these requirements, add your site to the list by following the instructions at https://hstspreload.org/.

Default Value:

Your website is not preloaded by default.

See Also

https://workbench.cisecurity.org/files/4212