@Danial-Ahmed said in HTTP Strict Transport Security (HSTS):
How to Enable HTTP Strict Transport Security (HSTS) Policy for following SSL certificates
— Free Let’s Encrypt SSL Certificate.
— Free Let’s Encrypt Wildcard SSL Certificate.
— Custom SSL Certificate.
- Before enabling HSTS policy, you need to make sure that the SSL Certificate is deployed on your website, and HTTP to HTTPS redirection is implemented. The following kinds of SSL Certificates can be installed.
- Now, you need to connect to your server remotely via SSH so you can access .htaccess file of your application.
- Now, you need to go to that specific directory where your webroot is located. In other words, where your .htaccess file is located. By default, it is in public_html directory so enter a command mentioned below to go into the public_html folder.
4.1. Here comes the final step of editing the .htaccess file and adding the HSTS rule. Executing the below command will open the file for editing.
4.2. Once the file is opened, you need to press i key to go into the editing mode. You will see – – INSERT – – in the bottom of your screen after pressing the key.
4.3. Then, copy this HSTS rule and paste the rule before the instance where it says # BEGIN WordPress/etc .
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS
Then, copy this HSTS rule and paste the rule before the instance where it says # BEGIN WordPress/etc .
Header always set Strict-Transport-Security “max-age=31536000; includeSubDomains; preload” env=HTTPS
This rule defines one-year max-age access, which includes your website’s root domain and any subdomains. Once the browser has accessed the website, then it will no longer be able to access the unsecured version (HTTP) of a website for a year. Please make sure that all subdomains are covered in your SSL Certificate, and HTTPS redirection is enabled. If you fail to do so, then your subdomains will no be accessible after saving changes in the .htaccess file.
Note: Before adding the one-year max-age, test your entire website with five minutes max-age first using: max-age=300;
4.4. Finally, press ESC key to exit the editing mode and then type and run the below command to save the changes.
Tip: This command can’t be copied and pasted, you need to type the command and hit Enter key.