Menu Close

Setting up HSTS for a website

What is HSTS?

HTTP Strict Transport Security (HSTS) is an instruction from the web server that informs the web browser (or other programs) how the connection between the server and the web browser should be handled. This information is sent right at the beginning in the so called “Response Header”.

A simple redirection from HTTP to HTTPS can still be bypassed. The “Strict-Transport-Security” parameter forces the web browser to establish the connection encrypted over HTTPS, ignoring any script that wants to load resources of the domain over HTTP. This means that, for example, cookies or session IDs of the website cannot be collected, nor can the website be redirected to a phishing site.

Why use HSTS?

  • HSTS is a way to increase the security of the connection to your website.
  • The increased security can also have a positive effect on Google’s ranking.

What are the requirements for HSTS?

  • valid SSL certificate for the website and all other subdomains
  • Redirection of all requests from HTTP to HTTPS
  • HSTS max-age must be at least 1 year
  • HSTS includeSubDomains must be enabled
  • HSTS preload must be enabled

What do the individual values for HSTS mean?

HSTS max-age

Time in seconds during which the web browser considers the web page to be a known HSTS host and does not establish connections over HTTP.

HSTS includeSubDomains

Ensures that the HSTS policy is applied not only to the domain, but also to all sub-domains, e.g. example.com and www.example.com.

HSTS preload

Whether to include the web page in the HSTS preload list maintained by Chrome (and used by Firefox and Safari, IE 11, and Edge). When HSTS preload is active, the web browser is forced to access the page over HTTPS because the web browser knows in advance that this page can only be accessed over HTTPS.
Sending the preload directive can cause problems and prevent users from accessing the web page and its subdomains if you reset the page to HTTP.
If HSTS preload is active, you can add your website to the list maintained by Chrome at https://hstspreload.org.

Test HSTS with a website

Before you “arm” HSTS for your website, you should first test your site with HSTS. The following requirements must be met for a test:

  • valid SSL certificate for the website and all other subdomains
  • Redirection of all requests from HTTP to HTTPS

On our managed servers, you can only activate HSTS if you have also set up a valid SSL certificate for the website. Other requirements will be automatically adjusted when you enable HSTS.

If you have activated HSTS, set “HSTS max-age” to one week first for testing purposes to be able to detect any problems. If the test phase is successful and without problems, you can set “HSTS max-age” to one month and extend your tests, or you can activate HSTS completely.

Enable HSTS for a website

If your website has a valid SSL certificate, you can enable HSTS. Log in to ISPConfig and open the corresponding website. Under “Advanced options” you will find the appropriate settings: