HSTS is a mechanism for forced transition from HTTP to HTTPS. This policy instructs the browser to force all domain addresses from HTTP to HTTPS using the header Strict-Transport-Security
, described in the standard RFC 6797... It is important to take into account that the HSTS policy is cached for a specified period and at this time it will not be possible to return to the HTTP protocol, except for manually clearing the browser security policies.
max-age
... Set the parameter to 900 to check the site is working and if everything is in order, you can change it to a higher one.To engage HSTS (HTTP Strict Transport Security) add to file .htaccess in the site directory the following line:
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS
max-age
- the period of caching the policy in browsers.includeSubDomains
- apply the policy to all subdomains.preload
- a parameter that guarantees the inclusion of the policy for the domain in supported browsers. Enables changing the HTTP protocol to HTTPS before loading the site.