Skip to main content

How to Implement HSTS?

Updated yesterday

If the site has HTTPS certificate implemented (like all sites in Seravo have), the security of the site can be further improved by implementing a web server directive called HTTP Strict Transport Security, abbreviated as HSTS.

The HTTP header in question informs the browser (and the whole internet) that the site in question always uses HTTPS and is not supposed to be used without an encrypted connection. Therefore if the browser, for any reason, sees the site without encryption it will know that something unusual is happening (e.g. a DNS hijacking) and refuses to load the suspicious site at all.

HSTS Enabled by Default

HSTS is enabled by default at Seravo, and the configuration is located on the server in the file /data/wordpress/nginx/security.conf. By editing this file, you can tighten the HSTS rules. After making changes, remember to restart the HTTP server (nginx) by running the command wp-restart-nginx for the changes to take effect.

By default, the HSTS configuration is as follows:
​

add_header Strict-Transport-Security "max-age=63072000";


After the change you must remember to issue the command wp-restart-nginx, so that the new setting takes effect.

There is also a stricter version of the setting that you can use to inform browsers that also all the subdomains will always use the encrypted connection as well, and that sites residing in subdomains mustn't be loaded if the connection is not encrypted. However, this is something we don't recommend to all our customers, as an expert must first inspect that all subdomains of a given domain really do implement only an encrypted connection always and everywhere, before it is sensible to put this additional restriction in effect. This inspection can be ordered from Seravo as expert work.

add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";

Did this answer your question?