HTTP Strict Transport Security (HSTS) is a web security standard that Tallyfy employs to protect your data and ensure secure communication between your browser and our platform. This article explains what HSTS is, how it benefits you as a Tallyfy user, and the security threats it helps prevent.
HSTS is a security policy mechanism that web servers use to declare that browsers (or other compliant user agents) should only interact with them using secure HTTPS connections. It effectively tells your browser: “Only talk to me over a secure, encrypted channel.”
When you connect to Tallyfy for the first time over HTTPS, our servers send a special response header called Strict-Transport-Security. This header instructs your browser to exclusively use HTTPS for all future connections to Tallyfy domains for a specific duration (defined by the max-age directive, typically set for a long period like two years).
Tallyfy fully implements HSTS across its services. Importantly, Tallyfy is also included in the HSTS preload lists used by major web browsers (like Chrome, Firefox, Safari, and Edge).
Being on the preload list means your browser knows to only use HTTPS for Tallyfy even before your first visit. This eliminates a small window of vulnerability present with standard HSTS implementation, providing enhanced security from the very start.
Tallyfy’s use of HSTS provides several security and privacy benefits:
http://tallyfy.com or clicked an old HTTP link) and forces your browser to communicate over unencrypted HTTP, even if the server supports HTTPS. HSTS prevents this by forcing the browser to upgrade to HTTPS before any communication occurs over the network.HSTS specifically addresses security vulnerabilities:
Imagine you’re using Tallyfy on a public Wi-Fi network (e.g., at a coffee shop or airport). An attacker on the same network could attempt an SSL stripping attack. If you typed http://tallyfy.com, the attacker could intercept this and prevent your browser from upgrading to the secure HTTPS version, potentially capturing your login credentials or other sensitive data. Because Tallyfy uses HSTS (and is preloaded), your browser automatically upgrades the connection to HTTPS locally, thwarting the attacker before the request even leaves your device.
For HSTS (and especially HSTS preloading) to work effectively and securely, web services must meet certain requirements:
includeSubDomains is used) and all resources (images, scripts, stylesheets), must be accessible over HTTPS without errors. Why? Prevents mixed content warnings and ensures the entire user experience is secure.Strict-Transport-Security header must be sent only on responses from HTTPS connections. Why? Headers sent over HTTP can be manipulated or stripped by attackers, so they are ignored by browsers.max-age: The max-age directive must be set to a substantial duration (at least 31536000 seconds, or 1 year, is required for preloading). Why? Ensures browsers enforce HTTPS for an extended period, maintaining protection between visits.includeSubDomains Directive (for Preload): This directive must be present for preload list inclusion, ensuring the policy applies to all current and future subdomains. Why? Provides comprehensive protection across the entire domain.preload Directive (for Preload): This directive signals consent for the domain to be included in browser preload lists. Why? Necessary opt-in mechanism for the enhanced security of preloading.These requirements ensure that once a browser learns the HSTS policy for Tallyfy, it can reliably and securely enforce HTTPS-only communication, providing protection against common web attacks.
Miscellaneous > Terms & legals
Tracking And Tasks > Protect sensitive data
Terms Legals > Tallyfy's privacy policy