Matomo Analytics

HTTP Strict Transport Security is meant to protect your website against protocol downgrade attacks. (HTTP over HTTPS requests)

This will declare to use HTTPS only, this will also require you to have a valid SSL certificate at all times. If you do not have a certificate or it is expired, people will not be able to visit your website. (As your webserver is telling people to require SSL by HSTS which is not present/valid)

To do this, we will be adding the following header to your site configuration file:

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";

In SSH (or by "Edit NGINX Configuration" inside the "Manage" tab on site level) add this inside the server{} block. E.g.:

server {

  server_name example.com

  # Add HSTS header
  add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
  
}

Be sure to have an SSL certificate setup, otherwise you will encounter errors and visitors will not be able to visit your website.

After this has been setup, we recommend you submit your website hostname to this website: https://hstspreload.org/

This is a preload submission list for Chrome, where other known browsers also work with (like FireFox, Internet Explorer, Opera, Safari). 

14 May 2019 (last updated 3 years ago)

9461 views

Written by Dennis

Dennis brings over 6 years of hands-on experience in server management, specializing in optimizing web services for scalability and security.

Back to Server


Start free trial