HTTP Strict Transport Security

HTTP Strict Transport Security

HSTS (HTTP Strict Transport Security) header to ensure all communication from a browser is sent over HTTPS (HTTP Secure). This prevents HTTPS click-through prompts and redirects HTTP requests to HTTPS.

Before implementing this header, you must ensure all your website page is accessible over HTTPS else they will be blocked.

HSTS header is supported on all the major latest version of a browser like IE, Firefox, Opera, Safari, and Chrome. There are three parameters configuration.

Parameter ValueMeaning
max-ageDuration (in seconds) to tell a browser that requests are available only over HTTPS.
includeSubDomainsThe configuration is valid for the subdomain as well.
preloadUse if you would like your domain to be included in the HSTS preload list

So let’s take an example of having HSTS configured for one year, including preload for domain and sub-domain.

Apache HTTP Server

You can implement HSTS in Apache by adding the following entry in httpd.conf file

Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

Restart apache to see the results

Nginx

To configure HSTS in Nginx, add the next entry in nginx.conf under server (SSL) directive

add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';

As usual, you will need to restart Nginx to verify

Cloudflare

If you are using Cloudflare, then you can enable HSTS in just a few clicks.

  • Log in to Cloudflare and select the site
  • Go to the “Crypto” tab and click “Enable HSTS.”

Select the settings the one you need, and changes will be applied on the fly.

Microsoft IIS

Launch the IIS Manager and add the header by going to “HTTP Response Headers” for the respective site.

Restart the site

Scroll to Top