Force HTTP Strict-Transport-Security

  • Resolved drunkfox

    (@drunkfox)


    3 years, 1 month ago

    Hi there. First of all I apologize for my English, I know it’s not the best.

    I enable the Force HTTP Strict-Transport-Security function, and then I tested my site here: https://hstspreload.org/

    The tool found two errors:
    Error: No includeSubDomains directive
    The header must contain the includeSubDomains directive.
    Error: Max-age too low
    The max-age must be at least 31536000 seconds (= 1 year), but the header currently only has max-age=10886400.

    So, I edited the .htaccess file like this:
    # SGS HSTS Header Service
    Header set Strict-Transport-Security “max-age=31536000; includeSubDomains; preload”
    # SGS HSTS Header Service END

    1) I’m not an expert, please I want to know if I did any mistake in editing the file .htaccess

    2) After my changes, I submitted my site to the tool again. The result was: Eligibility: guidedolomiti.com is eligible for the HSTS preload list (here: https://hstspreload.org/?domain=guidedolomiti.com).
    My question now is: should I submit guidedolomiti.com to the HSTS preload list?

    Thank you.

    The page I need help with: [log in to see the link]

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author Stoyan Georgiev

    (@stoyangeorgiev)

    Hey there @drunkfox,

    I hope you are doing well!

    I guess your question is related to our other plugin – SiteGround Security.

    When we add the HSTS headers to the htaccess file, we do not add the includeSubDomains directive since it may lead to unexpected behavior when accessing subdomains. We’ve made the necessary to ensure that the HSTS policies are met and a secure connection to a website is forced. The includeSubDomains makes sure that the HSTS policies are added for the subdomains as well. As I’ve mentioned, this could sometimes lead to unexpected behavior. If you do not use any, it should work perfectly fine. Keep in mind, however, that if you have any subdomains and they are not properly configured to work over HTTPS, or any request or assets are requested via HTTP may lead to the assets/request being blocked.

    Finally, if the changes you’ve made to that HSTS rule is suiting your needs and you do not experience any issues, you can submit your site for being added to the https://hstspreload.org/ list. Keep in mind that this may take some time. Keep in mind that you must also

    make sure your site continues to satisfy the submission requirements at all times.

    as the website states.

    Kind regards,
    Stoyan

    Thread Starter drunkfox

    (@drunkfox)

    Hi Stoyan.
    You are right, my question was related to SiteGround Security plugin, I’m sorry for my stupid mistake.
    Thank you very much for your detailed reply.
    all the best!

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Force HTTP Strict-Transport-Security’ is closed to new replies.