How to implement HSTS?

If the site has HTTPS certificate implemented (like all sites in Seravo have), the security of the site can be further improved by implementing a web server directive called HTTP Strict Transport Security, abbreviated as HSTS.

The HTTP header in question informs the browser (and the whole internet) that the site in question always uses HTTPS and is not supposed to be used without an encrypted connection. Therefore if the browser, for any reason, sees the site without encryption it will know that something unusual is happening (e.g. a DNS hijacking) and refuses to load the suspicious site at all.

HSTS can be implemented by going to the folder /data/wordpress/nginx/ and creating a new file there, called for example hsts.conf , and writing to that file:

add_header Strict-Transport-Security "max-age=63072000";

After the change you must remember to issue the command wp-restart-nginx, so that the new setting takes effect.

There is also a stricter version of the setting that you can use to inform browsers that also all the subdomains will always use the encrypted connection as well, and that sites residing in subdomains mustn't be loaded if the connection is not encrypted. However, this is something we don't recommend to all our customers, as an expert must first inspect that all subdomains of a given domain really do implement only an encrypted connection always and everywhere, before it is sensible to put this additional restriction in effect. This inspection can be ordered from Seravo as expert work.

For more information, see Seravo's website develper documentation at https://seravo.com/docs/configuration/nginx/#adding-hsts-headers

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Related Articles