All websites hosted by Seravo have an HTTPS certificate enabled by default. You can further enhance your website's security by enabling HTTP Strict Transport Security (HSTS).
This HTTP header tells browsers and the entire internet that the site must always be accessed via a secure HTTPS connection and should never be loaded over an unencrypted connection. If a browser encounters the site without encryption for any reason, it recognizes that something suspicious is happening (such as a DNS hijacking attempt) and will refuse to load the page to protect the user.
HSTS Is Enabled by Default at Seravo
You do not need to take any action for baseline HSTS protection, as it is already pre-activated for all new sites at Seravo. The default configuration can be found on the server in the file /data/wordpress/nginx/security.conf and looks like this:
add_header Strict-Transport-Security "max-age=63072000;";
This instructs the browser to remember the secure connection requirement for the next two years (63072000 seconds).
How to Tighten HSTS Settings?
If you want to enforce stricter HSTS rules (for instance, to require encryption for all subdomains), you can modify the server configuration via an SSH connection.
Step 1: Edit the Configuration File
Open and edit the file /data/wordpress/nginx/security.conf and replace the default line with the stricter version:
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
Note: This stricter setting forces all subdomains (includeSubDomains) to use an HTTPS connection. Do not enable this unless you are 100% certain that every single one of your subdomains (e.g., test.yourdomain.com) has a valid and working SSL certificate.
Furthermore, the preload directive allows your domain to be submitted to the global HSTS preload list maintained by Google. If your site is added to this list, removing it in the event of a misconfiguration can take months. If needed, you can order a technical review from Seravo as an expert service to ensure your environment is fully ready for stricter HSTS settings.
Step 2: Restart the HTTP Server
For your changes to take effect, you must restart the nginx web server from the command line (SSH) using the following command:
wp-restart-nginx
Alternative Method: Sending the HSTS Header via PHP Code
It is also possible to send the HSTS header directly from your website's PHP code (for example, in your theme's functions.php file) by utilizing WordPress's send_headers hook. However, within Seravo's environment, we primarily recommend the nginx-level configuration detailed above for better performance and reliability.
Testing Your Configuration
Once you have made the changes and restarted the server, you can verify that your HSTS header is configured correctly and check your domain's eligibility for the official preload list by using the tool at: hstspreload.org