How to activate HSTS for your domain

What is HSTS?

HTTP Strict Transport Security (HSTS) is a web security policy mechanism that helps to protect websites against protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers (or other complying user agents) should interact with it using only secure HTTPS connections, and never via the insecure HTTP protocol.

What is required?

In order for HSTS to function, you must have:

  1. an SSL/TLS certificate (included and pre-installed for free by default for all xneelo domains)
  2. a forced redirect to HTTPS setup on the domain.

How to activate

HSTS can be set up on a domain by adding the following code to the .htaccess file of the domain:

Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS