Enable HTTP Strict Transport Security (HSTS)
- 22/01/2021 15:40
HTTP Strict Transport Security is a header that your website can send to visitors to inform them to never connect to your site without encryption for a set time period. What this means is that for a specified period of time your browser will refuse to connect to your website insecurely, this is useful to defend against a downgrade attack or something similar targeting your visitors.
Enabling it is quite simple, your website just needs to send a response header enabling it and specifying how long for.
Strict-Transport-Security: max-age=31536000;Enabling with .htaccess on Linux
If you're using our web hosting, cPanel hosting, or ULTRA hosting, then you need to add the following to your .htaccess file in the httpdocs or public_html folder of your website. You can adjust the "max-age" setting to the number of seconds you want HSTS to be enabled for, generally it would be set to 1 year or longer.
Header set Strict-Transport-Security "max-age=31536000" env=HTTPSYou can also extend this to encompass all subdomains as well with the following, but be careful as this means every single subdomain even things like webmail will require a valid SSL certificate or you won't be able to load themso think carefully before enabling it.
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains" env=HTTPSEnabling with web.config on Windows
To enable HSTS in Windows you need to add the following to the web.config file in your httpdocs folder or web root of your website, you may need to create this file if there isn't one.
<?xml version="1.0" encoding="UTF-8"?> <configuration> <system.webServer> <rewrite> <outboundRules> <rule name="Add Strict-Transport-Security when HTTPS" enabled="true"> <match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" /> <conditions> <add input="{HTTPS}" pattern="on" ignoreCase="true" /> </conditions> <action type="Rewrite" value="max-age=31536000" /> </rule> </outboundRules> </rewrite> </system.webServer> </configuration>If you'd like to include all subdomains of your domain then append "; includeSubDomains" after the max-age value of the rewrite rule.
Preloading
Google maintain a list of all websites on the internet that wish for HSTS to be preloaded into browsers, all modern browsers support this list maintained by the Chrome team including Chrome, Firefox, Opera, Safari, IE 11 and Edge. If your site is included in the HSTS preload lists it means that users of those browsers will default to use HTTPS when accessing your site via HSTS regardless of whether they have visited your site before. To enable it you must ammend your HSTS header to be the following:
Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadOnce your HSTS headers are setup correctly you can verify and enroll your site to be listed in the HSTS preload list at https://hstspreload.org