HSTS (HTTP Strict Transport Security) is a web security policy that aims to protect websites against SSL/TLS stripping attacks by forcing web browsers to communicate only via HTTPS. When a website has HSTS enabled, it tells web browsers that all communication with the website should use HTTPS, even if a user manually enters an HTTP URL. This helps prevent Man-in-the-Middle (MITM) attacks and other forms of malicious interception of traffic.

To enable HSTS on your website, you need to add an HSTS header to your server response. The HSTS header specifies the duration of time that the browser should automatically redirect to HTTPS, and optionally includes a preload directive that enables your website to be included in the HSTS preload list, which is a list of domains that are hardcoded into popular web browsers.

To add an HSTS header, you need to modify the distributed configuration file (.htaccess) of your domain. This is located in the document root of your domain, for example in the "public_html" folder.

Here is an example of how to set the HSTS header:

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

In this example, max-age specifies the number of seconds that the browser should remember to use HTTPS, includeSubDomains includes all subdomains of the domain, and preload indicates that the website should be included in the browser preload list.

Please assure that all sub-domains support the HTTPS protocol and have valid SSL certificates if you use the includeSubDomains option. Otherwise, you and your visitors will no longer be able to access sub-domains that don't. If all sub-domains are hosted on our servers, both conditions should be fulfilled.

After you've added the HSTS header to your server response, it may take some time for the changes to propagate to all your visitors' browsers. Once it's in effect, users will automatically be redirected to HTTPS when they visit your website, helping to improve their security and protect their privacy.

DISCLAIMER: The scripts provided in our knowledgebase are for informational purposes only. We do not provide any warranty or support. It is essential to review and modify the scripts to fit your site's specific needs. There may be unforeseen outcomes when adding new script code to an existing website. You should discuss it with your website manager and seek advice from an experienced website developer if you are unsure.

Updated by SP on 27/04/2023

Was this answer helpful? 0 Users Found This Useful (0 Votes)

Most Popular Articles

Introduction to AutoSSL

Maxer Host are making it easier than ever to secure your website with HTTPS. We have introduced...
Check SSL certificate status for your domains

Is there a valid and signed SSL certificate on your website? Maxer Host recommends all websites...
Allowing AutoSSL installer access to a website with directory privacy / password protection

Update: In the meantime, cPanel has added the DNS DCV (Domain Control Validation) validation...
Block requests to the "xmlrpc.php" file using .htaccess

XML-RPC is a procedure that uses XML file encoding to make a remote call to your website. It is...
Enabling HTTPS on a WordPress website

Nowadays every website should have an SSL certificate. Ideally, every website should be 100%...