Skip to main content

.htaccess HTTP Strict Transport Security configuration

HTTP Strict Transport Security configuration

If a user types example.com in their browser, even if the server redirects them to the secure version of the website, that still leaves a window of opportunity (the initial HTTP connection) for an attacker to downgrade or redirect the request.

note

Strict Transport Security is not revokable and you must ensure being able to serve the site over HTTPS for as long as you've specified in the max-age directive.

If you don't have a valid TLS connection anymore (e.g. due to an expired TLS certificate) your visitors will see an error message even when attempting to connect over HTTP.

The following header ensures that a browser only connects to your server via HTTPS, regardless of what the users type in the browser's address bar.

<IfModule mod_headers.c>
# Header always set
Strict-Transport-Security "max-age=16070400; includeSubDomains" "expr=%{HTTPS} == 'on'"
# (1) Enable your site for HSTS preload inclusion.
# Header always set
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" "expr=%{HTTPS} == 'on'"
</IfModule>