How do I activate HSTS?

In this article, we explain how to activate HTTP Strict Transport Security (HSTS).
More explanation about what HSTS is can be found in the article: What is HSTS?

Activate HSTS
You can activate HSTS in 2 ways, via your control panel or via a code in your .htaccess file.
Below I first explain how you can activate it via your control panel.

Provide subdomains with HSTS or not?
An important question you should ask is whether you want to provide subdomains with HSTS.
There is a setting (max-age) that indicates how many seconds the HSTS should remain active, our advice is to start low and as you are sure it is set correctly you can increase the (max-age) period. A good example is to start with 5 minutes, if this works well switch to 1 day, then 1 week, then a month, then a year.

DirectAdmin
As far as we know, there is no option in DirectAdmin to activate HSTS with a mouse click.
However, it is possible to use the .htaccess method.

cPanel
As far as we know there is no option in cPanel to activate HSTS with a mouse click.
However, it is possible to use the .htaccess method.

SATserver
Login to www.satserver.nl
In the menu on the left, go to Advanced --> Server Features.
Under Strict-Transport-Security, select Domain + all subdomains or Domain Only.
At the bottom, click customize.

Plesk
Login to the Plesk hosting environment
Click on SSL/TLS (possibly see image below).

Then on the left side, enable HSTS as shown in the image below.

Next, select the time period.

Then check whether you want to provide subdomains with HSTS or not.

Then click the button: "Enable HSTS" to activate it.

Via htaccess

Activate HSTS (including subdomains and using preload for 5 minutes)

Add the following code so that your domain and subdomains use HSTS:

Header always set Strict-Transport-Security "max-age=300; includeSubDomains; preload" env=HTTPS

Note that the above code also provides subdomains with HSTS, you can of course modify the code to your liking.

If you do not want to provide your subdomains with HSTS then you can omit the includeSubDomains; we will give some examples below.

We have set the max-age in the code above to 300 seconds (5 minutes), so you can check if HSTS is working properly.

Activate HSTS (including subdomains and using preload for 5 days)

If it works properly, you can activate HSTS for a longer period of time (for example, 5 days) with the rule below:

Header always set Strict-Transport-Security "max-age= 432000; includeSubDomains; preload" env=HTTPS

Activate HSTS (including subdomains and using preload for 1 month)

If you are sure that 5 days also works well, you can then switch to one month (max-age=2592000).

Header always set Strict-Transport-Security "max-age= 2592000; includeSubDomains; preload" env=HTTPS

Activate HSTS (including subdomains and using preload for 1 year)

Once you are sure this is working properly you can switch to one year with the following code:

Header always set Strict-Transport-Security "max-age= 31536000; includeSubDomains; preload" env=HTTPS

It will only be considered secure by web browsers when a period of at least 1 year is used.

You can modify the code to your liking, such as the number of seconds in the max-age, the use of includeSubDomains; and the preload.
If you want to provide only your domain name with HSTS but not your subdomains, you can use for example the following code:

Header always set Strict-Transport-Security "max-age= 31536000; preload" env=HTTPS

You can also choose not to use preload, in which case you can omit the letters: preload.

Back to web hosting