Force HSTS in Apache .htaccess

Jan Reilink GNU Linux

I wrote about enabling HTTP Strict Transport Security (HSTS) in IIS earlier. But what about enabling HSTS in Apache .htaccess? Here is how.

Add to your .htaccess file the following to force HSTS in Apache:

Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"Code language: Apache (apache)

This enables HTTP Strict Transport Security for your website in Apache, it uses max-age of 3153600 seconds (36,5 days), has includeSubDomains enabled for your SSL certificate on www. and uses preload.

SSL in WordPress: how to move WordPress to HTTPS? The definitive guide

How to enable HTTP Strict-Transport-Security (HSTS) on IIS.

Now the HTTP Strict-Transport-Security (HSTS) response header for your website is tackled in this article. If necessary, you can add an HTTP Content-Security-Policy (CSP) upgrade-insecure-requests header as well in your .htaccess.

The HTTP Content-Security-Policy (CSP) upgrade-insecure-requests directive instructs user agents to treat all of a site’s insecure URLs (those served over HTTP) as though they have been replaced with secure URLs (those served over HTTPS). This directive is intended for web sites with large numbers of insecure legacy URLs that need to be rewritten.

CSP: upgrade-insecure-requests

Add in your .htaccess file:

Header set Content-Security-Policy: upgrade-insecure-requests;Code language: Apache (apache)

That’s all.

Related Posts

Share this post

Share on LinkedIn Share on Reddit

Jan Reilink

Hi, my name is Jan. I am not a hacker, coder, developer or guru. I am merely an application manager / systems administrator, doing my daily thing at Embrace - The Human Cloud. In the past I worked for clidn and Vevida. With over 20 years of experience, my specialties include Windows Server, IIS, Linux (CentOS, Debian), security, PHP, websites & optimization. I blog at https://www.saotn.org.