What problems can occur when enabling HSTS without proper planning and communication with marketing teams?
Summary
What email marketers say9Marketer opinions
Email marketer from Cloudflare explains enabling HSTS without ensuring that all links and resources resolve over HTTPS can negatively impact SEO. Broken links lead to a poor user experience and may harm search engine rankings. Marketing must be involved to ensure a smooth transition.
Email marketer from Stack Overflow responds that if a website enables HSTS and does not update all internal links to HTTPS, the website will break. The marketing team may see an immediate reduction in traffic and conversions.
Email marketer from LinkedIn explained a situation where enabling HSTS without client side coordination broke links that were served via HTTP, a lot of client campaigns stopped working because their ESP's where not compatible.
Marketer from Email Geeks shares that HSTS/HTTPS is still not universally enabled. Issues arise when clients enable HSTS without notifying their marketing team, causing security issues when links set to HTTP are clicked. Often, marketing is unaware of the change, preventing them from proactively addressing the potential impacts, and IT teams may not fully grasp the consequences.
Email marketer from Salesforce explains that with the introduction of HSTS you need to ensure all links use HTTPS so that email marketing campaigns are not negatively impacted. This is particularly important for click-tracking URLs, image references, and links to landing pages
Email marketer from Reddit shares that failing to account for existing HTTP links and resources can result in broken functionality. Proper communication between IT and marketing is essential to prevent disruptions.
Email marketer from EmailOctopus Blog shares that enabling HSTS without updating all assets (including links in email campaigns) to HTTPS can result in broken links and reduced engagement. Marketing teams need to coordinate with IT to ensure all URLs are updated before HSTS is enabled.
Marketer from Email Geeks recounts a situation where they had to request their ESP to configure their backend to support HTTPS for their domain. They emphasize that HTTPS support should be the standard for all ESPs.
Email marketer from Troy Hunt's Blog explains that HSTS primarily prevents man-in-the-middle attackers from downgrading secure HTTPS connections to insecure HTTP connections, thus protecting user data in transit. However, if implemented without considering existing HTTP links in emails, users might experience broken links and a degraded user experience.
What the experts say3Expert opinions
Expert from Email Geeks explains that if an ESP's click tracking endpoints support SSL but don't have it enabled for all customers, enabling HSTS for a domain can result in users encountering SSL mismatch errors when clicking email links, leading to a poor user experience. Some ESPs need to upgrade their systems to ensure HTTPS support is standard for all customers.
Expert from Email Geeks explains the problem is people turning HSTS on without ensuring it doesn't break anything.
Expert from Word to the Wise explains that one major problem with enabling HSTS is that it can break links if you don't ensure that all assets are served over HTTPS. This can particularly impact older email campaigns where links may still point to HTTP resources, and can lead to a negative user experience.
What the documentation says4Technical articles
Documentation from Mozilla Developer Network explains that HSTS instructs browsers to only connect to a website over HTTPS. If a user types `http://example.com`, the browser automatically upgrades the connection to `https://example.com`. Without proper planning, existing `http://` links in emails will fail, leading to broken user journeys.
Documentation from OWASP explains that while HSTS improves security, incorrect configuration or premature deployment can lead to accessibility issues. If internal or third-party links are not updated to HTTPS, users will encounter errors. Coordination with all teams, including marketing, is vital.
Documentation from Google Developers explains that to enable HSTS, you first need a fully functional HTTPS setup. Attempting to enable HSTS on a site with mixed HTTP and HTTPS content will cause breakages. Marketing teams need to ensure all links are HTTPS before HSTS deployment.
Documentation from DigiCert describes that with the introduction of HSTS, it causes configuration errors if there are broken links. When a user clicks on a HTTP link, the browser attempts to forward the browser to HTTPS. If it is invalid it errors.