HTTP Strict Transport Security (HSTS)

Khuram Shahzad

How much time to be set for HSTS.

Enforce web security policy for your website.
Status: On
Max-Age: 6 months (Recommended)
Include subdomains: On
Preload: On
This setting was last changed 2 minutes ago

Change HSTS Settings

zaasmi

@Danial-Ahmed said in HTTP Strict Transport Security (HSTS):

How to Enable HTTP Strict Transport Security (HSTS) Policy for following SSL certificates
— Free Let’s Encrypt SSL Certificate.
— Free Let’s Encrypt Wildcard SSL Certificate.
— Custom SSL Certificate.

1. Before enabling HSTS policy, you need to make sure that the SSL Certificate is deployed on your website, and HTTP to HTTPS redirection is implemented. The following kinds of SSL Certificates can be installed.
2. Now, you need to connect to your server remotely via SSH so you can access .htaccess file of your application.
3. Now, you need to go to that specific directory where your webroot is located. In other words, where your .htaccess file is located. By default, it is in public_html directory so enter a command mentioned below to go into the public_html folder.

cd applications/<your_application_name>/public_html/

4.1. Here comes the final step of editing the .htaccess file and adding the HSTS rule. Executing the below command will open the file for editing.

vim .htaccess

4.2. Once the file is opened, you need to press i key to go into the editing mode. You will see – – INSERT – – in the bottom of your screen after pressing the key.
4.3. Then, copy this HSTS rule and paste the rule before the instance where it says # BEGIN WordPress/etc .

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS

Then, copy this HSTS rule and paste the rule before the instance where it says # BEGIN WordPress/etc .

Header always set Strict-Transport-Security “max-age=31536000; includeSubDomains; preload” env=HTTPS
This rule defines one-year max-age access, which includes your website’s root domain and any subdomains. Once the browser has accessed the website, then it will no longer be able to access the unsecured version (HTTP) of a website for a year. Please make sure that all subdomains are covered in your SSL Certificate, and HTTPS redirection is enabled. If you fail to do so, then your subdomains will no be accessible after saving changes in the .htaccess file.
Note: Before adding the one-year max-age, test your entire website with five minutes max-age first using: max-age=300;

4.4. Finally, press ESC key to exit the editing mode and then type and run the below command to save the changes.
Tip: This command can’t be copied and pasted, you need to type the command and hit Enter key.

:wq!

Danial Ahmed

How to Enable HTTP Strict Transport Security (HSTS) Policy for following SSL certificates

— Free Let’s Encrypt SSL Certificate.

— Free Let’s Encrypt Wildcard SSL Certificate.

— Custom SSL Certificate.

zaasmi

HTTP Strict Transport Security (HSTS) can substantially improve the security of your website. However, there are important considerations to keep in mind when enabling HSTS:
HTTPS (SSL) must be enabled in order to use HSTS.
If you turn on HSTS and do not have HTTPS for your website, browsers will not accept the HSTS setting.
If you have HSTS enabled and leave Cloudflare, you need to continue to support HTTPS through a new service provider otherwise your site will become inaccessible to visitors until you support HTTPS again.
If you turn off Cloudflare’s HTTPS while HSTS is enabled, and you don’t have a valid SSL certificate on your origin server, your website will become inaccessible to visitors.
Note: Disabling Cloudflare’s HTTP can be done in several ways: Grey clouding a subdomain in your DNS records, “Pausing” the Cloudflare service, or having a misconfigured custom SSL certificate through your Cloudflare dashboard (e.g., invalid SSL certificates, expired certificates, or mismatched host names).
If you need to disable HTTPS on your domain, you must first disable HSTS in your Cloudflare dashboard and wait for the max-age to lapse to guarantee that every browser is aware of this change before you can disable HTTPS. The average max-age is six months (you can set the max-age in the next step). If you remove HTTPS before disabling HSTS your website will become inaccessible to visitors for up to the max-age or until you support HTTPS again. Because disabling HTTPS on an HSTS enabled website can have these consequences, we strongly suggest that you have a committed HTTPS service in place before enabling this feature.

More information