Knowledge Base

HSTS | How To Setup Strict Transport Security (HSTS)?

This article discusses HTTP Strict Transport Security (HSTS), and how to enable it for your site.

To enable HSTS for your site, you must have a valid SSL certificate already installed and activated. If you do not, and you enable HSTS anyway, visitors will be unable to access your site.

About HSTS

HTTP Strict Transport Security (HSTS) instructs web browsers to only use secure connections for all future requests when communicating with a web site. Doing so helps prevent SSL protocol attacks, SSL stripping, cookie hijacking, and other attempts to circumvent SSL protection.

Enabling HSTS on Linux

When HSTS is enabled for a site, web browsers automatically change any insecure requests (http://) to secure requests (https://). All you need to do to enable HSTS is add a header to your site's .htaccess file. Web browsers recognize this header, and then take care of the rest without any further intervention on your part.

To enable HSTS for your site, follow these steps:

  1. Using SSH, the cPanel File Manager, or the Plesk File Manager, navigate to the document root of your site.
  2. Use your preferred text editor to open the .htaccess file.
    If the .htaccess file does not already exist, create it.
  3. Copy the following line, and then paste it into the .htaccess file:
    Header set Strict-Transport-Security "max-age=31536000" env=HTTPS
  4. Save your changes to the .htaccess file. HSTS is now enabled for your site.

    When the web server sends this header, any browser that accesses the site over HTTPS will be unable to access the unsecured HTTP site for the specified length of time (in this case, 31,536,000 seconds, or one year). Therefore, as soon as you enable HSTS, you should not stop using SSL on your site. If you do, returning visitors will be unable to access your site.

Enabling HSTS on Windows

To enable HSTS for your site, follow these steps:

  1. Using the Plesk File Manager, navigate to the document root of your site.
  2. Click on the web.config file to open it in the file editor.
  3. There is a specific location to enter the settings for HSTS and it is different depending on the existing contents of the web.config file. Please carefully review each of the 3 scenarios below to select the correct one for your situation.
    1. If web.config is empty, simply paste the entire code below into the editor and click apply.
      <?xml version="1.0" encoding="UTF-8"?>
      <configuration>
          <system.webServer>
              <rewrite>
                  <rules>
                      <rule name="HTTP to HTTPS redirect" stopProcessing="true">
                          <match url=".*" />
                          <conditions>
                              <add input="{HTTPS}" pattern="off" ignoreCase="true" />
                          </conditions>
                          
      <action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" redirectType="Permanent" />
                      </rule>
                  </rules>
                  <outboundRules>
                      <rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
                          <match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
                          <conditions>
                              <add input="{HTTPS}" pattern="on" ignoreCase="true" />
                          </conditions>
                          <action type="Rewrite" value="max-age=31536000; includeSubDomains; preload" />
                      </rule>
                  </outboundRules>
              </rewrite>
          </system.webServer>
      </configuration>

       

    2. If web.config is populated, look for the <system.webServer> section. if there is no <system.webServer> section, paste in the highlighted  code as shown.

      <?xml version="1.0" encoding="UTF-8"?>
      <configuration>
          <other items>
         </other items>
          <system.webServer>
              <rewrite>
                  <rules>
                      <rule name="HTTP to HTTPS redirect" stopProcessing="true">
                          <match url=".*" />
                          <conditions>
                              <add input="{HTTPS}" pattern="off" ignoreCase="true" />
                          </conditions>
                          <action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}"
                              redirectType="Permanent" />
                      </rule>
                  </rules>
                  <outboundRules>
                      <rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
                          <match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
                          <conditions>
                              <add input="{HTTPS}" pattern="on" ignoreCase="true" />
                          </conditions>
                          <action type="Rewrite" value="max-age=31536000; includeSubDomains; preload" />
                      </rule>
                  </outboundRules>
              </rewrite>
          </system.webServer>
      </configuration>

       

    3. Finally, if there is a </system.webServer> section, paste in the highlighted code as shown

      <?xml version="1.0" encoding="UTF-8"?>
      <configuration>
          <other items>
          </other items>
          <system.webServer>
              <other items>
              </other items>
              <rewrite>
                  <rules>
                      <rule name="HTTP to HTTPS redirect" stopProcessing="true">
                          <match url=".*" />
                          <conditions>
                              <add input="{HTTPS}" pattern="off" ignoreCase="true" />
                          </conditions>
                          <action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}"
                              redirectType="Permanent" />
                      </rule>
                  </rules>
                  <outboundRules>
                      <rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
                          <match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
                          <conditions>
                              <add input="{HTTPS}" pattern="on" ignoreCase="true" />
                          </conditions>
                          <action type="Rewrite" value="max-age=31536000; includeSubDomains; preload" />
                      </rule>
                  </outboundRules>
              </rewrite>
          </system.webServer>
      </configuration>

       

More Information

For more information about HSTS, please visit https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security.