How do you enable HTTP Strict Transport Security (HSTS)?

HTTP Strict Transport Security (HSTS) tells browsers to only communicate with your website over HTTPS. This prevents protocol downgrade attacks and cookie hijacking by ensuring all connections use SSL/TLS.

Caution

Before enabling HSTS, make sure your site has a valid SSL certificate installed and is fully working over HTTPS. Once HSTS is active, browsers will refuse to load your site over plain HTTP for the duration of the max-age value. See How do I force SSL/HTTPS on my websites? for setting up HTTPS redirects first.

Enabling HSTS

Add the following to your site’s .htaccess file:

Header always set Strict-Transport-Security "max-age=31536000"

This tells browsers to only use HTTPS when connecting to your site for one year (31,536,000 seconds).

Including subdomains

To apply HSTS to all subdomains as well:

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

HSTS preloading

To submit your domain to the HSTS preload list (which hardcodes the HTTPS requirement into browsers), use:

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

Caution

HSTS preloading is difficult to undo. Only enable the preload directive if you are certain that your entire domain and all subdomains will permanently support HTTPS.