2.7.1.1.10. Configure HSTS

HSTS (HTTP Strict Transport Security) is a mechanism for enforcing the transition from the HTTP protocol to HTTPS. The technology emerged in 2012 and is currently supported by all browsers. This policy instructs the browser to forcibly change all domain addresses from the HTTP protocol to HTTPS using the Strict-Transport-Security header, as described in the standard RFC 6797. It is important to note that the HSTS policy is cached for a specified period, and during this time, reverting to the HTTP protocol is not possible, except by manually clearing the browser's security policies.

Important points:

  • The HSTS policy is applied only after the first visit to the site. During the initial visit, the browser is not yet aware of the header, and the request may be executed over HTTP.
  • Not all browsers support this technology. If there is no support, it will be ignored. Support is implemented in all Chromium-based browsers (Chrome, Opera and others) and Firefox.
  • The HSTS policy is retained for specific domains for the period specified in the transmitted header. Until the expiration of this period, it is impossible to switch to the HTTP protocol without manually clearing the cache.
  • Do not specify a large period in max-age right away. Start with a value of 900 to check the performance of the site and if everything is fine, you can increase it.
  • Adding an HSTS header to .htaccess is only possible when using the Apache web server. LiteSpeed and PHP-FPM will ignore the rule in .htaccess.
  • To get a rating of "A+" in the SSL Labs test, the caching period must be at least 180 days (15,552,000 seconds).

Control panel

  1. Open the "Site protection" section and switch to the "Main settings" tab.
  2. In the "Strict-Transport-Security header" field, specify the policy caching period in browsers and save the changes.
  3. (If the header should apply to all subdomains) Enable "Add the includeSubDomains attribute to the Strict-Transport-Security header".
  4. Check out the header work on geekflare.com.

.htaccess

  1. Add the following line to the .htaccess file in the site directory:
    Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS
    • max-age — period of policy caching in browsers in seconds.
    • includeSubDomains — apply the policy to all subdomains.
    • preload — enabling the policy for the domain in supported browsers (ensures that the HTTP protocol is changed to HTTPS before the site is loaded).
  2. Check out the header work on geekflare.com.
Content
    (2)