HSTS (HTTP Strict Transport Security) protects users from cookie hijacking and protocol downgrade attacks by forcing browsers to request HTTPS pages from your domain. HSTS is similar to a 301 redirect from HTTP to HTTPS but at the browser level.
Here we'll be covering the most secure HSTS configuration. There may be a different specific configuration appropriate for your website but other configurations may be less secure and not eligible for preload.
Below we detail the steps to add the HSTS configuration to your website's .htaccess file and submit your domain to the HSTS preload list, maintained by Google.
Related Articles
Find the Document Root of a Domain
Edit File with File Manager
Force HTTPS in .htaccess
Enable/Renew AutoSSL on Shared Server
Enable HSTS in .htaccess file
CAUTION: Once enabled, HSTS disallows the user from overriding an invalid or self-signed certificate message. This means your website will be inaccessible without a valid SSL.
- Log into cPanel
- Navigate to File Manager, located under the Files section
- Navigate to the domain's document root
- Locate the .htaccess file, right-click on it and click Edit
NOTE: Because .htaccess starts with a "." it is considered a hidden file, so you will need to ensure hidden files are shown. - Add the following code:
<IfModule mod_headers.c>
Header set Strict-Transport-Security “max-age=10886400; includeSubDomains; preload”
</IfModule> - Click the Save Changes button
Submit Domain for Preloading
- Visit hstspreload.org
- Enter your domain and click the Check HSTS preload status and eligibility button
- The background will turn green or red depending on the results
- If eligible, review the details listed and select the applicable check boxes, then click the Submit button; if ineligible, fix the errors reported and test again
NOTE: After submitting your domain for HSTS preloading, it can take 2-6 months for your domain to be accepted and then listed in the latest browser versions. You can read more about the preload process at hstspreload.org and browsers supporting HSTS at Caniuse.com.