HSTS (HTTP Strict Transport Security) is a web security policy that aims to protect websites against SSL/TLS stripping attacks by forcing web browsers to communicate only via HTTPS. When a website has HSTS enabled, it tells web browsers that all communication with the website should use HTTPS, even if a user manually enters an HTTP URL. This helps prevent Man-in-the-Middle (MITM) attacks and other forms of malicious interception of traffic.
To enable HSTS on your website, you need to add an HSTS header to your server response. The HSTS header specifies the duration of time that the browser should automatically redirect to HTTPS, and optionally includes a preload
directive that enables your website to be included in the HSTS preload list, which is a list of domains that are hardcoded into popular web browsers.
To add an HSTS header, you need to modify the distributed configuration file (.htaccess) of your domain. This is located in the document root of your domain, for example in the "public_html" folder.
Here is an example of how to set the HSTS header:
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
In this example, max-age
specifies the number of seconds that the browser should remember to use HTTPS, includeSubDomains
includes all subdomains of the domain, and preload
indicates that the website should be included in the browser preload list.
Please assure that all sub-domains support the HTTPS protocol and have valid SSL certificates if you use the includeSubDomains
option. Otherwise, you and your visitors will no longer be able to access sub-domains that don't. If all sub-domains are hosted on our servers, both conditions should be fulfilled.
After you've added the HSTS header to your server response, it may take some time for the changes to propagate to all your visitors' browsers. Once it's in effect, users will automatically be redirected to HTTPS when they visit your website, helping to improve their security and protect their privacy.
Updated by SP on 27/04/2023