Can I enable HSTS?

Austin Beresford
Published: 14 August 2020
Share:

The HTTP Strict-Transport-Security response header (often abbreviated as HSTS) lets a website tell browsers that it should only be accessed using HTTPS, instead of using HTTP.

You can enable this by adding the following to your .htaccess file:

Header set Strict-Transport-Security "max-age=5184000; includeSubDomains; preload"

The 'max-age' is the time in days you want the warning to be cached for, the above would set that to a default of 60 days.

Be aware that if you set this header, the site will only ever load over HTTPS.

For instance, while people can usually click through a browser warning about a name mismatch or expired certificate, browsers do not allow such a click through for hostnames with an active HSTS header. It also means that if they ever move the site to a web hosting provider that doesn't support HSTS or if they wish to remove the certificate, they cannot do so and their site will be unavailable.