Here are the advantages and disadvantages of enabling HSTS (HTTP Strict Transport Security) in Plesk SSL. It can be enabled simply when you set up your FREE SSL:
Advantages
Disadvantages
Prevents protocol downgrade attacks: HSTS ensures browsers only use HTTPS, blocking SSL stripping and similar attacks.
Risk of site inaccessibility: If your SSL certificate expires or is misconfigured, users cannot bypass warnings and will be locked out until fixed.
Protects against session hijacking and cookie theft: By enforcing encrypted connections, HSTS helps prevent attackers from stealing session cookies or data.
Initial connection not protected: The very first visit to your site is not protected by HSTS unless your domain is on the browser preload list.
Automatic HTTPS redirection: Browsers automatically upgrade all HTTP requests to HTTPS, reducing reliance on insecure redirects.
Preload commitment is strict: If you add your domain to the HSTS preload list, removing it later is difficult and requires all subdomains to support HTTPS.
Improves user trust and SEO: The browser lock icon and enforced HTTPS can boost user confidence and may help with search rankings.
Potential issues with subdomains: If you use includeSubDomains, all subdomains must support HTTPS, or they will become inaccessible.
Simplifies security implementation: HSTS can be enabled with a simple header and managed centrally through Plesk.
No user override: Users cannot “click through” SSL warnings, which can be problematic during certificate errors or migrations.
Best Practices
Start with a short max-age to test your HTTPS setup before committing to a longer period.
Ensure all subdomains support HTTPS before enabling includeSubDomains or preloading.
Monitor SSL certificate validity to avoid accidental site lockouts.
