Force HSTS via htaccess
What is HSTS?
HSTS (HTTP Strict Transport Security) protects users from cookie hijacking and protocol downgrade attacks by forcing browsers to request HTTPS pages
from your domain. HSTS is similar to a 301 redirect from HTTP to HTTPS but at the browser level.
The first time your site is accessed using HTTPS and it returns the
Strict-Transport-Security header, the browser records this
information, so that future attempts to load the site using HTTP will
automatically use HTTPS instead.
When the expiration time specified by the Strict-Transport-Security
header elapses, the next attempt to load the site via HTTP will proceed as
normal instead of automatically using HTTPS.
Whenever the Strict-Transport-Security header is delivered to the
browser, it will update the expiration time for that site, so sites can
refresh this information and prevent the timeout from expiring. Should it be
necessary to disable Strict Transport Security, setting the max-age to 0
(over a https connection) will immediately expire the
Strict-Transport-Security header, allowing access via http.
There may be a specific HSTS configuration appropriate for your website. The following are less secure options and preload-ineligible
as first-time traffic to your site will be able to use insecure HTTP:
Strict-Transport-Security: max-age=10886400; Strict-Transport-Security: max-age=10886400; includeSubDomains
A breakdown of the header:
||Forces HSTS on the domain
||How long the header should be active in seconds
||Authorizes preload listing if eligible (covered below)
Below we’ll cover adding the most secure HSTS configuration using the .htaccess file and submitting your domain to the
Chrome preload list maintained by Google.
Warning: Once enabled, HSTS disallows the user from overriding an invalid or self-signed certificate message. Your website will be inaccessible without a
Enable HSTS for Preloading
'preload' can be left out of the header.
- Using SSH or cPanel File Editor, edit your .htaccess file.
- Add the following line to your .htaccess file:
Header set Strict-Transport-Security “max-age=10886400; includeSubDomains; preload”
The expiry must be at least 18 weeks (10886400 seconds).
- To submit your domain for preloading, visit Hstspreload.org.
- Type your domain and Check HSTS preload status and eligibility.
The background will turn green or red depending on the results.
- Fix the errors and/or submit your domain for preloading.
After submitting your domain for HSTS preloading, it can take 2-6 months for your domain to be accepted and then listed in the latest browser versions. You can read more about the
preload process at hstspreload.org and
browsers supporting HSTS at Caniuse.com.