Implement HSTS using .htaccess

HTTP Strict Transport Security (HSTS) is a web security policy that will force requests to be servers via secure connections HTTPS. Simple HTTP requests are not served.

HSTS syntax is:

Strict-Transport-Security: max-age=<expire-time>
Strict-Transport-Security: max-age=<expire-time>; includeSubDomains
Strict-Transport-Security: max-age=<expire-time>; preload

max-age
The time, in seconds, that the browser should remember that a site is only to be accessed using HTTPS.
includeSubDomains Optional
If this optional parameter is specified, this rule applies to all of the site’s subdomains as well.

The recommended value for the HSTS header according to https://hstspreload.org/ is:

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

The preload parameter will guarantee inclusion on HSTS preload lists for major web browsers like Chromium (Google Chrome), Edge, and Firefox.

To Implement HSTS for your site:

1. Log into your web hosting account and edit or create a .htaccess file.

2. Add the following lines to the .htaccess file and save it.

<IfModule mod_headers.c>
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
</IfModule>

HSTS is now enabled for your site – main domain and subdomains.

3. Add your site to Google Chrome HSTS list at https://hstspreload.org/

plothost hsts

To test the HSTS header (and other headers) use https://securityheaders.com/

Resources:

Wikipedia HSTS
MDN Strict-Transport-Security
rfc6797

Leave a Reply