Force https with HTTP Strict Transport Security (HSTS)

Jul 14, 2021 by Thibault Debatty | 356 views

Secure Software Development

https://cylab.be/blog/156/force-https-with-http-strict-transport-security-hsts

Once you have https enabled for your website (with Letsencrypt for example), you should make sure all your users use the secure version of the site. Typically this done using a redirect. However this still leaves a window of opportunity (the initial HTTP connection) for an attacker to downgrade or redirect the request. With a Strict Transport Security header, you can force a browser to only connect to your server using HTTPS.

Photo by Rob King on Unsplash

This header has a max-age value, that defines for how long this directive is enforced. This also means that HSTS is not revokable for as long as you've specified in the max-age directive. If you don't have a valid TLS connection anymore (e.g. due to an expired TLS certificate) your visitors will see an error message even when attempting to connect over HTTP.

Here is a simple example, that you should add to your .htaccess:

<IfModule mod_headers.c>
  # https://cylab.be/blog/156/force-https-with-http-strict-transport-security-hsts
  Header set Strict-Transport-Security "max-age=604800"
</IfModule>

It will force https for 1 week (604800 seconds).