HTTP Strict Transport Security (HSTS) is an HTTP header that tells user agents to only connect to a given site securely over HTTPS, even if the scheme chosen was HTTP. HSTS also asks the browser to deal with TLS and certificate-related errors more strictly by preventing users from bypassing the error page.
The HSTS header comprises of one mandatory parameter (max-age
) and two optional parameters (includeSubDomains
and preload
), separated by semicolons.
Directives
max-age:
how long user agents will redirect to HTTPS, in secondsincludeSubDomains:
whether user agents should upgrade requests on subdomainspreload:
whether the site should be included in the HSTS preload list
max-age
must be set to at least six months (15768000), but longer periods like two years (63072000) are better. Once this value is set, the site must continue to support HTTPS until the expiry time has been reached.
includeSubDomains
tells the browser that all subdomains of the current origin should also be upgraded via HSTS. For instance, setting includeSubDomains
on my.rocket.domains
will also set it on host1.my.rocket.domains
and host2.my.rocket.domains
. Please beware that setting the includeSubDomains
flag could disable sites on subdomains that don’t yet have HTTPS activated.
preload
enables the website to be added to the HSTS preload list, upon submission. As a result, web browsers will do HTTPS upgrades to the site without ever having to receive the initial HSTS header. This prevents downgrade attacks upon first use and is recommended for all high risk websites. Note that being included in the HSTS preload list requires that includeSubDomains
also be set.
HSTS Examples
# Only connect to this site via HTTPS for the two years (recommended)
Strict-Transport-Security: max-age=63072000
# Only connect to this site and subdomains via HTTPS for the next two years and also include in the preload list
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
How to easily add HSTS to WordPress
Simply add the following code snippet to your .htaccess file inside the public_html directory.
You can access it by using your Rocket Domains Dashboard.Website, and then using the "File Manager" option under the "Sites" Tab.
<IfModule mod_headers.c>
Header always set Strict-Transport-Security 'max-age=31536000'
</IfModule>
More useful tips for your business
Google confirms domain does not affect site SEO
The Whys and Hows of Backing Up Your WordPress Website
Why Google Workspace is Great for Your Business