How Tallyfy uses HTTP Strict Transport Security (HSTS)

HTTP Strict Transport Security (HSTS) is a web security rule that Tallyfy uses to help protect your data. It ensures the connection between your web browser and Tallyfy is always secure (encrypted). This article explains HSTS, its benefits, and the security problems it prevents.

What is HTTP Strict Transport Security (HSTS)?

HSTS is a security instruction used by websites. It tells web browsers (like Chrome, Firefox, Safari) that they must only communicate with the website using a secure HTTPS connection. It’s like Tallyfy telling your browser, “Always use a secure, secret code when you talk to me.”

When you first visit Tallyfy using a secure HTTPS connection, our website sends a message back to your browser (the Strict-Transport-Security header). This message tells your browser to only use HTTPS for all future visits to Tallyfy for a long time (typically around two years).

How Tallyfy uses HSTS

Tallyfy uses HSTS everywhere. More importantly, Tallyfy is included in the HSTS preload lists built into major web browsers.

Being on this list means your browser knows it must use secure HTTPS for Tallyfy even before your first visit. This closes a potential security loophole, giving you improved security from the start.

Benefits of HSTS for Tallyfy customers

Tallyfy using HSTS provides several security benefits:

Protection against eavesdropping: HSTS helps stop attackers forcing your browser to switch from secure HTTPS to insecure HTTP (an SSL stripping attack). This might happen if you accidentally type http://tallyfy.com or click an old link. HSTS tells your browser to switch to HTTPS before sending data, blocking the attack.
Secure Cookies: Info stored in browser cookies (like login details) could be stolen over insecure HTTP. HSTS ensures important cookies aren’t sent insecurely, protecting your login, especially on public Wi-Fi.
Privacy: By forcing all communication to be encrypted, HSTS keeps your Tallyfy activity private and safe from eavesdropping.
Confidence: Knowing Tallyfy uses security rules like HSTS shows we take data protection seriously.

Security threats prevented by HSTS

HSTS helps prevent these security problems:

SSL Stripping: Stops attackers tricking your browser into using insecure HTTP.
Protocol Downgrade Attacks: Prevents tricks trying to force your browser to use less secure HTTP.
Cookie Theft: Stops attackers stealing your login details (session cookies) on unsecured networks by ensuring cookies only travel over secure HTTPS.

Real-life example: Public Wi-Fi

Imagine using Tallyfy on public Wi-Fi. A hacker on the same network could try an SSL stripping attack. If you typed http://tallyfy.com, the hacker might try to prevent your browser switching to the secure HTTPS version, potentially seeing your login or other data. Because Tallyfy uses HSTS and is preloaded, your browser automatically switches to HTTPS locally before sending anything, stopping the attack.

HSTS requirements and why they exist

For HSTS (especially preloading) to work safely, websites must follow certain rules:

Have a valid security certificate (TLS/SSL): Basis for HTTPS. Why? Ensures connection to the real Tallyfy, enabling secure, encrypted communication.
Redirect HTTP visitors to HTTPS: Anyone visiting http:// must be automatically sent to the https:// address. Why? Guides users to the secure version and ensures the HSTS rule is sent securely.
Serve everything over HTTPS: The entire site (images, scripts, etc.) must load securely over HTTPS. Why? Avoids browser security warnings and ensures the entire page is secure.
Send the HSTS rule only over HTTPS: The Strict-Transport-Security header must only be sent over secure HTTPS. Why? Headers sent over insecure HTTP can be altered by attackers.
Set a long time limit (max-age): The rule tells browsers to use HTTPS for a long time (at least 1 year for preloading). Why? Keeps connections secure even if you don’t visit Tallyfy for a while.
Include subdomains (for preload): The rule must apply to all Tallyfy subdomains (like app.tallyfy.com). Why? Protects all Tallyfy services.
Include the preload marker (for preload): Signals agreement to inclusion in browser HSTS lists. Why? Needed for the extra security of being preloaded.

These rules ensure that once your browser learns the HSTS rule for Tallyfy, it can reliably enforce secure connections, protecting you.

Miscellaneous > Terms & legals

Tallyfy implements comprehensive security measures including SOC 2 Type 2 attestation encryption protocols GDPR compliance SSO functionality and various protective features through AWS hosting and Cloudflare services.

Pro > Compliance

A comprehensive overview of Tallyfy’s security framework detailing SOC 2 Type 2 compliance access controls data protection system monitoring and vendor management practices to ensure platform reliability and data safety.

Integrations > Authentication and SSO

Free Single Sign-On integration enables team members to access Tallyfy using their existing company credentials while providing enhanced security automated account setup and centralized user management through popular identity providers.

Tracking And Tasks > Protect sensitive data

Sensitive data should be stored securely outside Tallyfy in dedicated systems while using secure links to reference the information within workflow tasks.

Get in touch

About Tallyfy