LiquidFiles Documentation
LiquidFiles Documentation

Understanding HSTS

HSTS, or HTTP Strict Transport Security, is a security measure that has been implemented in LiquidFiles as well as in most web based functions across the Internet. It solves the problem that if you type www.something.com in your browser, by default the browser will first try connect using http even if https is the desired protocol.

When HSTS is enabled, after the initial http → https redirect, a HSTS header is sent, saying that for the next X seconds, only connect using https. The browser will then remember this setting for this site and until the X seconds timeout, it won't try, and it won't be possible to use http.

One thing to note is that HSTS is only valid with a CA signed certificate. You cannot enable HSTS with a self-signed certificate.

LiquidFiles in production with the setting to use Force HTTPs (in Admin → System → Network) uses the default HSTS setting of 63072000s, or 2 Years. With a trial/demo license, LiquidFiles uses a short HSTS setting of 3600s, or 1 hour so that you can see it working if you wish but it doesn't make a long term commitment if you want to change it before going into production.

Normally, this is completely transparent and it just improves security without any drawbacks, but there are a few scenarios where HSTS can cause an issue:

  • If you let your certificate expire — this will cause your browser to refuse to connect to the site. You won't be presented with a dialog box or anything, it will just refuse to connect. The solution in this case is to use a virgin browser, a browser you haven't previously connected to with LiquidFiles. So if you normally use Chrome, you can use Firefox or vise versa and after bypassing the certificate expiration warning dialog box you will be able to connect with the LiquidFiles system and update the certificate.
  • If you replace your certificate with a self-signed certificate. Same issue as above, the browser refuses to connect and you will need to use another browser to replace the certificate with a CA signed certificate.
  • If you wish to use http instead of https on a system that's been running for a while — if you still have a valid certificate, configuring LiquidFiles with Force HTTP will redirect the browser back to http and this will also clear the HSTS timeout. If your certificate has expired and instead of renewing you where planning to switch users to http, this is going to be a big issue for your users. When a browser that has previously connected with https and have the HSTS setting remembered it will refuse to load the https version of your LiquidFiles system and will therefore not get the redirect that happens as part of the Force HTTP configuration in LiquidFiles. Your options are then limited to:
    • Wait until HSTS expires — 2 Years, so not really a viable option.
    • Install a new CA signed certificate so that users can connect using https — you can then do the Force HTTP setting in LiquidFiles and once all browsers have connected or in maximum a year, every browser will switch to http.
    • Switch to another hostname which hasn't previously been configured with HSTS. Please note though that you cannot redirect from the old hostname to the new hostname unless you setup another server with a valid certificate for your old name as again browsers will refuse to connect to your old HSTS enabled hostname unless there's a valid certificate there.
  • You would also potentially run into issues if you decided to use an internal CA to sign the public LiquidFiles certificate. An internal CA would not be trusted by external browsers and if you previously used a public CA signed certificate, you would run into similar issues as described above.