79 views - 14 May 2019

HTTP Strict Transport Security is ment to protect your website against protocol downgrade attacks. (HTTP over HTTPS requests)

This will declare to use HTTPS only, this will also require you to have a valid SSL certificate at all times. If you do not have a certificate or it is expired, people will not be able to visit your website. (As your webserver is telling people to require SSL by HSTS which is not present/valid)

To do this, we will be adding the following header to your site configuration file:

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";

In SSH (or by "Edit NGINX Configuration" inside the "Manage" tab on site level) add this inside the server{} block. E.g.:

server {

server_name example.com

...

# Add HSTS header

add_header Strict-Transport-Security "max-age=63072000; includeSubdomains;";

...

}

Be sure to have an SSL certificate setup, otherwise you will encounter errors and visitors will not be able to visit your website.

After this has been setup, we recommend you submit your website hostname to this website: https://hstspreload.org/

This is a preload submission list for Chrome, where other known browsers also work with (like FireFox, Internet Explorer, Opera, Safari). 

Ploi handles all the difficult things that you don't want to do. Are you ready?

Create an account, or contact us.