Securing your website with https:// is not enough
Unless you’ve recently had your website security upgraded, chances are it is vulnerable. For most websites there is a momentary window.
Unless you’ve recently had your website security upgraded, chances are it is vulnerable. For most websites there is a momentary window of opportunity for hackers to bust it open if they test its ability to redirect from the to address.
It is a cat-and-mouse game of shoring up against hackers, for them to find a new way, that you must defend. Don’t expect your website host to be doing this for you. It’s for you to push them into taking action, regularly.
This exploit, obviously more commonly exploited during this COVID-19 era, is easily guarded against by implementing HTTP Strict Transport Security (HSTS).
To a skilled hacker, most websites have a vulnerability when switching traffic from HTTP to HTTPS. There is a moment during this switch (done by your website using a 301 redirect) where a hacker can implement a man-in-the middle attack that prevents your site from continuing with HTTPS. It’s then easy to sniff and open content.
HSTS prevents this and it is relatively simple to implement. Sites that have multiple integrations and pull content from multiple sources can be a little trickier as each source needs to be setup to be handled by the HSTS directs.
Quick analogy comparing your home to your website.