How HSTS Can Break Links in Hive
What is HSTS?
HSTS is a setting that website owners can turn on that forces everyone visiting their website to do so securely over HTTPS (even if the user requested the page over HTTP). HSTS can be enabled for a root domain (e.g. example.com), some specific subdomains (e.g. www.example.com or hello.example.com), or for all subdomains (e.g. *.example.com).
Custom subdomains in Hive
Hive encourages all clients to send their emails from a custom subdomain, which means that links in outgoing emails use the custom subdomain too. For example, if my custom subdomain in Hive was mail.example.com, links in my emails would appear as click.mail.example.com. Links are rewritten to use the custom subdomain for seamless branding, better deliverability, and to enable us to track who’s clicking on what links in your email.
How does HSTS impact links in my emails?
When websites owners enable HSTS for all subdomains (by using the includeSubDomains HSTS directive), it subsequently “breaks” the links in emails they send through Hive; sometimes HSTS is set up this way because of the tech used to build a website (using a Wordpress plugin, etc).
Essentially, links inside emails to your custom subdomains route through the custom subdomain (ex. click.mail.example.com ) over HTTP (like http://click.mail.example.com/link-abc-xyz), then HSTS forces the link to go over HTTPS (https://click.mail.example.com/link-abc-xyz). Hive is unable to serve a valid SSL certificate for click.mail.example.com when a link gets rerouted over HTTPS. This causes your users’ browser to display a “this page is not secure” message, essentially breaking all of the outgoing links in your emails.
I need HSTS turned on, what should I do?
If you need to enable HSTS on your website, only enable it explicitly for the root domain and subdomains you need it turned on for. That way, Hive can properly redirect your email links without having to serve them over HTTPS. make sure HSTS is disabled for both your custom email subdomain (e.g. mail.example.com) and your "click tracking" custom email subdomain (e.g. click.mail.example.com).
I can’t disable HSTS for my custom email subdomain, what should I do?
If you are unable to turn off HSTS for all subdomains or just your custom email subdomain, Hive is forced to disable click tracking on all of the links in your emails going forward. We highly discourage this and this should be a last resort, because:
- It will impact your deliverability negatively going forward
- Links in previously-sent emails will be permanently broken
- Should you decide to turn HSTS off for your custom subdomain (to solve these problems), we have to keep link tracking turned off for approximately 180 days so that all the things on the internet that “cache” your HSTS settings will automatically update themselves
