How to add HTTP Strict Transport Security (HSTS) to Website Print

  • HSTS, HTTP Strict Transport Security, HSTS WordPress, HSTS Rocket Domains
  • 101

HTTP Strict Transport Security (HSTS) is an HTTP header that tells user agents to only connect to a given site securely over HTTPS, even if the scheme chosen was HTTP. HSTS also asks the browser to deal with TLS and certificate-related errors more strictly by preventing users from bypassing the error page.

The HSTS header comprises of one mandatory parameter (max-age) and two optional parameters (includeSubDomains and preload), separated by semicolons.

Directives

  • max-age: how long user agents will redirect to HTTPS, in seconds
  • includeSubDomains: whether user agents should upgrade requests on subdomains
  • preload: whether the site should be included in the HSTS preload list

max-age must be set to at least six months (15768000), but longer periods like two years (63072000) are better. Once this value is set, the site must continue to support HTTPS until the expiry time has been reached.

includeSubDomains tells the browser that all subdomains of the current origin should also be upgraded via HSTS. For instance, setting includeSubDomains on my.rocket.domains will also set it on host1.my.rocket.domains and host2.my.rocket.domains. Please beware that  setting the includeSubDomains flag could disable sites on subdomains that don’t yet have HTTPS activated.

preload enables the website to be added to the HSTS preload list, upon submission. As a result, web browsers will do HTTPS upgrades to the site without ever having to receive the initial HSTS header. This prevents downgrade attacks upon first use and is recommended for all high risk websites. Note that being included in the HSTS preload list requires that includeSubDomains also be set.

HSTS Examples

# Only connect to this site via HTTPS for the two years (recommended)
Strict-Transport-Security: max-age=63072000

# Only connect to this site and subdomains via HTTPS for the next two years and also include in the preload list
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

How to easily add HSTS to WordPress

Simply add the following code snippet to your .htaccess file inside the public_html directory.
You can access it by using your Rocket Domains Dashboard.Website, and then using the "File Manager" option under the "Sites" Tab.

<IfModule mod_headers.c>

Header always set Strict-Transport-Security 'max-age=31536000'
</IfModule>

More useful tips for your business

Google confirms domain does not affect site SEO

The Whys and Hows of Backing Up Your WordPress Website

Why Google Workspace is Great for Your Business

How to Submit Your Website to Search Engines in a Few Steps

Remote Backups for Google Cloud Hosting


Was this answer helpful?

« Back

Powered by WHMCompleteSolution