Force https with HTTP Strict Transport Security (HSTS)

Jul 14, 2021 by Thibault Debatty | 1885 views

Secure Software Development

Once you have https enabled for your website (with Letsencrypt for example), you should make sure all your users use the secure version of the site. Typically this done using a redirect. However this still leaves a window of opportunity (the initial HTTP connection) for an attacker to downgrade or redirect the request. With a Strict Transport Security header, you can force a browser to only connect to your server using HTTPS.

Photo by Rob King on Unsplash

This header has a max-age value, that defines for how long this directive is enforced. This also means that HSTS is not revokable for as long as you've specified in the max-age directive. If you don't have a valid TLS connection anymore (e.g. due to an expired TLS certificate) your visitors will see an error message even when attempting to connect over HTTP.

Here is a simple example, that you should add to your .htaccess:

<IfModule mod_headers.c>
  Header set Strict-Transport-Security "max-age=604800"

It will force https for 1 week (604800 seconds).

This blog post is licensed under CC BY-SA 4.0

This website uses cookies. More information about the use of cookies is available in the cookies policy.