Welcome to WebmasterWorld Guest from 23.22.240.119

Forum Moderators: Ocean10000 & incrediBILL & phranque

Hsts

Best way to implement

     
2:16 am on Nov 27, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:June 2, 2006
posts:2212
votes: 6


Hi,

So, after switching a site to HTTPS, one of the steps is to get that HSTS thing as well. Would this code in .htaccess be a good way of doing it:

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";


Is there anything else about this add_header command one should know?

Also, if the server is configured t run as FastCGI, is .htaccess still the only option? Just curious. I know that some pHP related stuff goes out of .htaccess into other config files like php.ini or .user.ini.

Thank you
3:05 am on Nov 27, 2017 (gmt 0)

Administrator

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 10, 2004
posts:11144
votes: 116


add_header

is this an apache server or nginx?

is .htaccess still the only option?

assuming this is relevant to apache (and php is irrelevant in this case), you could put this directive in your .htaccess file or the relevant container of your server config file if you have access to that:
Header set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
4:35 am on Nov 27, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:June 2, 2006
posts:2212
votes: 6


Yes, it is an Apache server. So it would be the Header directive, ok, thanks. I already had some variations noted down, but that slipped off my mind when I picked the add_header one. I also came across header append variation, but could not figure what the effect would be at the end.

And speaking of this directive... I see there's an option to add a site to [hstspreload.org...] for Chrome. It was new to me to see that it warned me about straight redirect from http://example.com to https://www.example.com. It asked me to reconfigure it to this:

http://example.com >301> https://example.com >301> https://www.example.com

Wasn't it that we always wanted less redirects, and how much would one suport this?

Thank you
7:21 am on Nov 27, 2017 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:10453
votes: 609


You want the header set

I use it the same way, just with a longer expirary:
Header set Strict-Transport-Security: max-age=63072000; includeSubDomains; preload


Ah, looks like phranque already suggested it :)

more security headers here [webmasterworld.com]

As far as hstspreload.org is concerned, I saw those errors as well and decided to forget about it. I think it's a limitation with their validation tool because my config passes all other tools.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members