Suped

What problems can occur when enabling HSTS without proper planning and communication with marketing teams?

9 Marketer opinions3 Expert opinions4 Technical articles3 Resources

Summary

Enabling HSTS without proper planning and communication, especially with marketing teams, can lead to various problems. A central issue is that HSTS enforces HTTPS connections, and if existing HTTP links in emails, websites, and marketing materials aren't updated to HTTPS, users experience broken links and a degraded experience. This impacts SEO, reduces traffic, conversions, and breaks client campaigns if ESPs are incompatible. SSL mismatch errors can occur if ESPs don't fully support SSL on their click-tracking endpoints. The lack of coordination between IT and marketing results in reactive problem-solving rather than proactive planning. Ensuring a fully functional HTTPS setup and aligning all systems to support HTTPS is essential for a smooth transition.

Key findings

  • Broken Links & User Experience: Failure to update HTTP links to HTTPS results in broken links, frustrating users, and damaging their experience.
  • SEO and Engagement Impact: Broken links negatively affect SEO rankings, reduce engagement, click-through rates, and conversions.
  • ESP Compatibility Issues: Some older ESPs may not fully support HTTPS or SSL on click-tracking endpoints, causing compatibility issues and SSL mismatch errors.
  • Communication Breakdown: A lack of communication and coordination between IT and marketing teams leads to reactive problem-solving and disruptions.
  • Security Risks & Downgrade Attacks: Without HTTPS enforcement, systems are vulnerable to downgrade attacks, which are largely prevented by HSTS when properly set up.

Key considerations

  • IT & Marketing Alignment: Establish clear communication and collaboration between IT and marketing teams for coordinated changes and understood impacts.
  • Comprehensive HTTPS Audit & Update: Conduct a thorough audit of all existing links and resources, updating any using HTTP to HTTPS.
  • ESP Assessment & Upgrade: Assess your ESP's HTTPS and SSL capabilities; ensure they fully support HTTPS to avoid compatibility and SSL mismatch errors.
  • Testing and Validation: Thoroughly test all email campaigns, website pages, and marketing materials after enabling HSTS to ensure proper function.
  • Phased Rollout & Monitoring: Consider a phased rollout of HSTS to monitor performance and address any issues before full implementation.
  • Fully Functional HTTPS Setup: Ensure a fully functional HTTPS setup across the entire domain before enabling HSTS to prevent initial breakages.

What email marketers say
9Marketer opinions

Enabling HSTS (HTTP Strict Transport Security) without proper planning and communication, particularly with marketing teams, can lead to significant problems. HSTS enforces HTTPS connections, and if existing HTTP links in emails, websites, and other marketing materials aren't updated to HTTPS, users will encounter broken links and a degraded experience. This can negatively impact SEO, reduce traffic and conversions, and break client campaigns if ESPs are not compatible. Coordination between IT and marketing is essential to ensure a smooth transition and avoid disruptions.

Key opinions

  • Broken Links: Failure to update HTTP links to HTTPS results in broken links, frustrating users and damaging the user experience.
  • SEO Impact: Broken links negatively affect SEO rankings, as search engines penalize sites with poor user experiences.
  • Reduced Engagement: Broken links and errors lead to reduced engagement, click-through rates, and conversions from marketing campaigns.
  • ESP Compatibility: Some older ESPs may not fully support HTTPS, causing compatibility issues and campaign failures when HSTS is enabled.
  • Lack of Awareness: Often marketing teams are not informed or consulted before HSTS is enabled, leading to reactive problem-solving rather than proactive planning.

Key considerations

  • IT & Marketing Alignment: Establish clear communication and collaboration between IT and marketing teams to ensure changes are coordinated and potential impacts are understood.
  • HTTPS Audit: Conduct a thorough audit of all existing links and resources to identify any that are still using HTTP and update them to HTTPS.
  • ESP Assessment: Assess your ESP's HTTPS capabilities and ensure they fully support HTTPS to avoid compatibility issues.
  • Testing: Thoroughly test all email campaigns, website pages, and other marketing materials after enabling HSTS to ensure everything functions correctly.
  • Phased Rollout: Consider a phased rollout of HSTS to monitor performance and address any issues before fully implementing it across your entire domain.
  • Client Communication: Communicate changes to clients to allow for client side coordination so they are prepared for any potential compatibility issues.
Marketer view

Email marketer from Cloudflare explains enabling HSTS without ensuring that all links and resources resolve over HTTPS can negatively impact SEO. Broken links lead to a poor user experience and may harm search engine rankings. Marketing must be involved to ensure a smooth transition.

July 2022 - Cloudflare
Marketer view

Email marketer from Stack Overflow responds that if a website enables HSTS and does not update all internal links to HTTPS, the website will break. The marketing team may see an immediate reduction in traffic and conversions.

May 2021 - Stack Overflow
Marketer view

Email marketer from LinkedIn explained a situation where enabling HSTS without client side coordination broke links that were served via HTTP, a lot of client campaigns stopped working because their ESP's where not compatible.

November 2023 - LinkedIn
Marketer view

Marketer from Email Geeks shares that HSTS/HTTPS is still not universally enabled. Issues arise when clients enable HSTS without notifying their marketing team, causing security issues when links set to HTTP are clicked. Often, marketing is unaware of the change, preventing them from proactively addressing the potential impacts, and IT teams may not fully grasp the consequences.

December 2022 - Email Geeks
Marketer view

Email marketer from Salesforce explains that with the introduction of HSTS you need to ensure all links use HTTPS so that email marketing campaigns are not negatively impacted. This is particularly important for click-tracking URLs, image references, and links to landing pages

November 2021 - Salesforce
Marketer view

Email marketer from Reddit shares that failing to account for existing HTTP links and resources can result in broken functionality. Proper communication between IT and marketing is essential to prevent disruptions.

April 2024 - Reddit
Marketer view

Email marketer from EmailOctopus Blog shares that enabling HSTS without updating all assets (including links in email campaigns) to HTTPS can result in broken links and reduced engagement. Marketing teams need to coordinate with IT to ensure all URLs are updated before HSTS is enabled.

February 2022 - EmailOctopus Blog
Marketer view

Marketer from Email Geeks recounts a situation where they had to request their ESP to configure their backend to support HTTPS for their domain. They emphasize that HTTPS support should be the standard for all ESPs.

June 2022 - Email Geeks
Marketer view

Email marketer from Troy Hunt's Blog explains that HSTS primarily prevents man-in-the-middle attackers from downgrading secure HTTPS connections to insecure HTTP connections, thus protecting user data in transit. However, if implemented without considering existing HTTP links in emails, users might experience broken links and a degraded user experience.

February 2022 - Troy Hunt's Blog

What the experts say
3Expert opinions

Enabling HSTS without thorough preparation can lead to broken links and SSL mismatch errors, negatively impacting the user experience. A core issue arises when HSTS is activated without first ensuring all assets, especially those in older email campaigns, are served over HTTPS. Furthermore, if an ESP's click-tracking endpoints don't universally support SSL, users may encounter SSL mismatch errors upon clicking email links. Therefore, it's crucial to verify that all systems are HTTPS-compatible and that HSTS is implemented carefully to avoid these disruptions.

Key opinions

  • Broken Links: Enabling HSTS without updating all assets to HTTPS can break links, particularly in older email campaigns.
  • SSL Mismatch Errors: If an ESP's click tracking endpoints don't fully support SSL, HSTS can lead to SSL mismatch errors, creating a poor user experience.
  • Lack of Preparation: Turning HSTS on without ensuring it doesn't break anything is a common problem.

Key considerations

  • HTTPS Compatibility: Ensure that all assets and links, especially those in older campaigns, are served over HTTPS.
  • ESP Support for SSL: Verify that your ESP fully supports SSL for click tracking endpoints to prevent SSL mismatch errors.
  • Thorough Testing: Thoroughly test all links and assets after enabling HSTS to ensure they function correctly.
Expert view

Expert from Email Geeks explains that if an ESP's click tracking endpoints support SSL but don't have it enabled for all customers, enabling HSTS for a domain can result in users encountering SSL mismatch errors when clicking email links, leading to a poor user experience. Some ESPs need to upgrade their systems to ensure HTTPS support is standard for all customers.

April 2023 - Email Geeks
Expert view

Expert from Email Geeks explains the problem is people turning HSTS on without ensuring it doesn't break anything.

April 2022 - Email Geeks
Expert view

Expert from Word to the Wise explains that one major problem with enabling HSTS is that it can break links if you don't ensure that all assets are served over HTTPS. This can particularly impact older email campaigns where links may still point to HTTP resources, and can lead to a negative user experience.

March 2022 - Word to the Wise

What the documentation says
4Technical articles

Enabling HSTS without proper planning results in accessibility and configuration errors, primarily due to broken links. HSTS enforces HTTPS connections, automatically upgrading HTTP requests to HTTPS. If existing HTTP links in emails and websites aren't updated, users will encounter failed connections and errors, leading to broken user journeys. A fully functional HTTPS setup is a prerequisite, and coordination across teams, particularly with marketing, is essential to ensure all internal and third-party links are updated before HSTS deployment. Incorrect configuration or premature deployment without these considerations leads to accessibility issues.

Key findings

  • Broken User Journeys: Existing HTTP links in emails fail, leading to broken user journeys when HSTS is enabled without proper planning.
  • Accessibility Issues: Incorrect configuration or premature deployment of HSTS can lead to accessibility problems.
  • HTTPS Prerequisite: A fully functional HTTPS setup is required before enabling HSTS.
  • Configuration Errors: The introduction of HSTS, can cause configuration errors if there are broken links.

Key considerations

  • Update All Links: Ensure all internal and third-party links are updated to HTTPS before HSTS deployment.
  • Team Coordination: Coordinate with all teams, especially marketing, to ensure a smooth transition.
  • Validate HTTPS Setup: Verify that you have a fully functional HTTPS setup before enabling HSTS to prevent breakages.
Technical article

Documentation from Mozilla Developer Network explains that HSTS instructs browsers to only connect to a website over HTTPS. If a user types `http://example.com`, the browser automatically upgrades the connection to `https://example.com`. Without proper planning, existing `http://` links in emails will fail, leading to broken user journeys.

January 2024 - Mozilla Developer Network
Technical article

Documentation from OWASP explains that while HSTS improves security, incorrect configuration or premature deployment can lead to accessibility issues. If internal or third-party links are not updated to HTTPS, users will encounter errors. Coordination with all teams, including marketing, is vital.

November 2021 - OWASP
Technical article

Documentation from Google Developers explains that to enable HSTS, you first need a fully functional HTTPS setup. Attempting to enable HSTS on a site with mixed HTTP and HTTPS content will cause breakages. Marketing teams need to ensure all links are HTTPS before HSTS deployment.

February 2025 - Google Developers
Technical article

Documentation from DigiCert describes that with the introduction of HSTS, it causes configuration errors if there are broken links. When a user clicks on a HTTP link, the browser attempts to forward the browser to HTTPS. If it is invalid it errors.

January 2025 - DigiCert

Related resources
3Resources

What do you want to know about Supabase? For real. : r/Supabase
What do you want to know about Supabase? For real. : r/Supabase

Posted by u/activenode - 96 votes and 216 comments

Reddit
HSTS cannot be disabled and should not be enforced if HTTP is on ...
HSTS cannot be disabled and should not be enforced if HTTP is on ...

Describe the bug I disabled HSTS from the dockerfile with: ENV KC_HOSTNAME_STRICT_HTTPS=false When the container starts, I see this in the log: 2022-09-01 19:36:44,991 INFO [org.keycloak.quarkus.ru...

GitHub
Miro | The Innovation Workspace
Miro | The Innovation Workspace

Miro is the innovation workspace where teams manage projects, design products, and build the future together. Join 80M+ users from around the world.

https://miro.com/

Related questions