SSL: The HSTS policy and your Marketo subdomains

Version 5

    What is HSTS?

    The HTTP Strict-Transport-Security response header (often abbreviated as HSTS) lets a web site tell browsers that it should only be accessed using HTTPS, instead of using HTTP.  This prevents man-in-the-middle attacks by telling the browser it should never interact with their domain without first establishing a secure HTTPS connection.

     

    What does this mean for Marketo assets?

    A domain can assert the HSTS policy for all of it's subdomains.  This means both the subdomains used for Marketo landing pages and the subdomains for Marketo tracking links must also be secured with SSL certificates.  If HSTS is asserted and the Marketo subdomains are not secured, people that visit landing pages or click on tracked links in emails will receive security errors and browsers will not load the pages.

     

    This is resolved by purchasing both Secured Domains for Landing Pages and Secured Domains for Tracking Links.  There are very few exceptions where a domain utilizing HSTS will not need to secure both landing page domains and tracking link domains.

     

    How do I know if my domain is using HSTS?

    Reach out to your IT and/or web development team to confirm whether or not your domain utilizes HSTS and if both Secured Domains and Tracking Links are necessary for your business.  If your website utilizes HSTS and has the "include subdomains" flag set to true, you will need to secure both your landing page domains and tracking link domains in almost all circumstances.

     

    Google Chrome has a built in HSTS checker that you can use to verify your HSTS settings.

     

    1.  Visit the root domain of your website with the Chrome browser.  For example, if your Marketo landing pages use visit.acme.com, navigate to acme.com.  This will load the domain's HSTS policy into Chrome.

     

    2.  Navigate to chrome://net-internals/#hsts in Chrome.  This will load Chrome's HSTS checker.

     

    3.  In the "Query HSTS/PKP domain" section, type in your domain you wish to check.  Click "Query".

     

     

    4.  If the query returns "Found" with a list of configuration settings, you will need to check two settings:

    • If either "status_upgrade_mode" or "dynamic_upgrade_mode" have the value "FORCE_HTTPS" or "STRICT", then the domain is enforcing HSTS and all connections are made over HTTPS.
    • If either "static_pkb_include_subdomains" or "dynamic_pkp_include_subdomains" are equal to "true", then all subdomains are subject to the HSTS policy.

    If both of the above are true then both Secured Domains for Landing Pages and Tracking Links may be required.

     

    If the query returns "Not Found", or is not using a "FORCE_HTTPS" or "STRICT" policy then the landing page and tracking link subdomains may not have strict HTTPS requirements.

     

    Always verify with your IT and/or web development team as to what your domain's security policies and requirements are.  Failure to properly secure your landing page or tracking domains according to your domain's security policy may result in landing pages or tracking links not resolving in browsers.  A lack of a strict HSTS policy does not necessarily mean you do not need to secure your Marketo domains.

     

    My domain asserts HSTS on my subdomains but I do not have HTTPS encryption with my Marketo subscription.  What do I do?

    Reach out to your Customer Success Manager to discuss purchasing Secured Domains for Landing Pages and Secured Domains for Tracking Links.  Configuration instructions can be found below:

    Overview & FAQ: Secured Domains for Landing Pages

    Overview & FAQ: Secured Domains for Tracking Links