For those who are awake!
Discount -15%
We use cookies
We use cookies to optimize our website. By continuing to browse the site, you agree to our use of cookies.
New design
Control panel
  • Русский
  • Українська
  • English
  • UAH
  • USD
  • RUB
  • EUR
  • 0-800-307-307 Hotline
  • +38 (044) 392-74-33 Kiev
  • +38 (057) 728-39-00 Kharkiv
  • +38 (056) 794-38-31 Dnipro
  • +38 (032) 229-58-93 Lviv
  • +38 (048) 738-57-70 Odessa
  • +38(093) 170-15-42  Life
  • +38 (067) 400-88-44 Kievstar
  • +1(888)393-24-51  USA, Toll free
  • +44(131)507-01-14  Great Britain
  • +7 (499) 348-28-61 Moscow

2.12.10. Configuring HSTS

HSTS is a mechanism for forced transition from HTTP to HTTPS. This policy instructs the browser to force all domain addresses from HTTP to HTTPS using the header Strict-Transport-Security, described in the standard RFC 6797... It is important to take into account that the HSTS policy is cached for a specified period and at this time it will not be possible to return to the HTTP protocol, except for manually clearing the browser security policies.

Important points:

  • HSTS policy applies only after the first login to the site. On the first visit, the browser does not yet know about the header and the request can be made over HTTP.
  • Not all browsers support this technology. If there is no support, then it will be ignored. Support is implemented in all Chromium-based browsers (Chrome, Opera, Yandex and others) and Firefox.
  • HSTS policy is saved for certain domains for the period specified in the transmitted header. Until this period expires, it is impossible to switch to HTTP without manually clearing the cache.
  • You should not immediately indicate a large period in max-age... Set the parameter to 900 to check the site is working and if everything is in order, you can change it to a higher one.
  • Adding HSTS Header to .htaccess possible only within the Apache web server, within LiteSpeed or PHP-FPM rule in .htaccess will be ignored.

To engage HSTS (HTTP Strict Transport Security) add to file .htaccess in the site directory the following line:

Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"  env=HTTPS
  • max-age - the period of caching the policy in browsers.
  • includeSubDomains - apply the policy to all subdomains.
  • preload - a parameter that guarantees the inclusion of a policy for the domain in supported browsers. Enables changing the HTTP protocol to HTTPS before loading the site.

After adding the title, check the site for the correct work of the title in hstspreload.org, in the same place you can add the site to the list of preloaded HSTS browsers.