How much time to be set for HSTS.
Enforce web security policy for your website.
Status: On
Max-Age: 6 months (Recommended)
Include subdomains: On
Preload: On
This setting was last changed 2 minutes ago
Change HSTS Settings
@Danial-Ahmed said in HTTP Strict Transport Security (HSTS):
How to Enable HTTP Strict Transport Security (HSTS) Policy for following SSL certificates
— Free Let’s Encrypt SSL Certificate.
— Free Let’s Encrypt Wildcard SSL Certificate.
— Custom SSL Certificate.
cd applications/<your_application_name>/public_html/
4.1. Here comes the final step of editing the .htaccess file and adding the HSTS rule. Executing the below command will open the file for editing.
vim .htaccess
4.2. Once the file is opened, you need to press i key to go into the editing mode. You will see – – INSERT – – in the bottom of your screen after pressing the key.
4.3. Then, copy this HSTS rule and paste the rule before the instance where it says # BEGIN WordPress/etc .
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS
Then, copy this HSTS rule and paste the rule before the instance where it says # BEGIN WordPress/etc .
Header always set Strict-Transport-Security “max-age=31536000; includeSubDomains; preload” env=HTTPS
This rule defines one-year max-age access, which includes your website’s root domain and any subdomains. Once the browser has accessed the website, then it will no longer be able to access the unsecured version (HTTP) of a website for a year. Please make sure that all subdomains are covered in your SSL Certificate, and HTTPS redirection is enabled. If you fail to do so, then your subdomains will no be accessible after saving changes in the .htaccess file.
Note: Before adding the one-year max-age, test your entire website with five minutes max-age first using: max-age=300;
4.4. Finally, press ESC key to exit the editing mode and then type and run the below command to save the changes.
Tip: This command can’t be copied and pasted, you need to type the command and hit Enter key.
:wq!
How to Enable HTTP Strict Transport Security (HSTS) Policy for following SSL certificates
— Free Let’s Encrypt SSL Certificate.
— Free Let’s Encrypt Wildcard SSL Certificate.
— Custom SSL Certificate.
HTTP Strict Transport Security (HSTS) can substantially improve the security of your website. However, there are important considerations to keep in mind when enabling HSTS:
HTTPS (SSL) must be enabled in order to use HSTS.
If you turn on HSTS and do not have HTTPS for your website, browsers will not accept the HSTS setting.
If you have HSTS enabled and leave Cloudflare, you need to continue to support HTTPS through a new service provider otherwise your site will become inaccessible to visitors until you support HTTPS again.
If you turn off Cloudflare’s HTTPS while HSTS is enabled, and you don’t have a valid SSL certificate on your origin server, your website will become inaccessible to visitors.
Note: Disabling Cloudflare’s HTTP can be done in several ways: Grey clouding a subdomain in your DNS records, “Pausing” the Cloudflare service, or having a misconfigured custom SSL certificate through your Cloudflare dashboard (e.g., invalid SSL certificates, expired certificates, or mismatched host names).
If you need to disable HTTPS on your domain, you must first disable HSTS in your Cloudflare dashboard and wait for the max-age to lapse to guarantee that every browser is aware of this change before you can disable HTTPS. The average max-age is six months (you can set the max-age in the next step). If you remove HTTPS before disabling HSTS your website will become inaccessible to visitors for up to the max-age or until you support HTTPS again. Because disabling HTTPS on an HSTS enabled website can have these consequences, we strongly suggest that you have a committed HTTPS service in place before enabling this feature.
If you want to know how you can join us and get 100% Discount on your FEE ask Cyberian in Chat Room!
