Enabling HSTS is essential now that you’ve got your SSL Certificate installed as you are still not safe as hackers can still get around it by ‘Man in the Middle attacks’.
With the SSL cerificate installed your website will still be accessible via https but you can still open your website with http. To prevent this from happening you need to enable HSTS in your headers. The http headers can be setup in the root .htaccess file, which is a hidden file on the web server and usually found in public_html. This means that you are declaring that your website is only accessible over a secure connection (HTTPS).
To enable HSTS simply add this code to the top of your root .htaccess file:
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS
Before playing with this file you should always make a backup, if you get it wrong then you could break or kill your website. The backup will help you getting your website back up and running again.
Website Security Service
As part of our Web Security Service we can secure your website with other web security measures including enabling HSTS.
More Information (External Links)
- HSTS – The missing link in Transport Layer Security by Scott Helme
- What Is HSTS and How Do I Implement It? by Denver Prophit Jr
Test your SSL Certificate
Qualys SSL Server Test >> (external link, opens in a new tab)
Now with HSTS enabled, Qualys have given this website an A+
Chrome’s HTTP Strict Transport Security (HSTS) preload list
This form is used to submit domains for inclusion in Chrome’s HTTP Strict Transport Security (HSTS) preload list. This is a list of sites that are hardcoded into Chrome as being HTTPS only.
If you would like to enable HSTS on your website or want the full
Website Security Service then please Contact Us Now! and we will set it up for you for peace of mind.