Setting up HSTS

HSTS (HTTP Strict Transport Security) is a mechanism for forced transition from HTTP to HTTPS. The technology appeared in 2012 and today supported by all browsers... This policy instructs the browser to force all domain addresses from HTTP to HTTPS using the header Strict-Transport-Security, described in the standard RFC 6797... It is important to take into account that the HSTS policy is cached for a specified period and at this time it will not be possible to return to the HTTP protocol, except for manually clearing the browser security policies.

Important points:

  • The HSTS policy applies only after the first login to the site. On the first visit, the browser does not yet know about the header and the request can be made over HTTP.
  • Not all browsers support this technology. If there is no support, it will be ignored. Support is implemented in all Chromium-based browsers (Chrome, Opera and others) and in Firefox.
  • HSTS policy is saved for certain domains for the period specified in the transmitted header. Until the expiration of this period, it is impossible to switch to the HTTP protocol without manually clearing the cache.
  • You should not immediately indicate a large period in max-age... Set the parameter to 900 to check the site is working, and if everything is in order, you can change it to a higher one.
  • Adding HSTS Header to .htaccess possible only within the Apache web server, within LiteSpeed or PHP-FPM rule in .htaccess will be ignored.
  • To get a rating «A+» in the test SSL Labs the caching period should be not less than 180 days (15552000 seconds).
  1. Openup site settings.
  2. Opposite parameter «Strict-Transport-Security (HSTS) Header» specify the period for caching the policy in browsers and save the changes.
  3. If the header action is to spread to all subdomains, additionally check the box next to «Add includeSubDomains attribute for Strict-Transport-Security header».
  4. Check the header work on geekflare.com.
  1. Add to file .htaccess in the site directory such a line:
    Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS
    • max-age — the period of caching the policy in browsers in seconds.
    • includeSubDomains — apply the policy to all subdomains.
    • preload — enable domain policy in supported browsers. Enables changing the HTTP protocol to HTTPS before loading the site.
  2. Check the header work on geekflare.com.