Force https with HTTP Strict Transport Security (HSTS)

Once you have https enabled for your website (with Letsencrypt for example), you should make sure all your users use the secure version of the site. Typically this done using a redirect. However this still leaves a window of opportunity (the initial HTTP connection) for an attacker to downgrade or redirect the request. With a Strict Transport Security header, you can force a browser to only connect to your server using HTTPS.

This header has a max-age value, that defines for how long this directive is enforced. This also means that HSTS is not revokable for as long as you've specified in the max-age directive. If you don't have a valid TLS connection anymore (e.g. due to an expired TLS certificate) your visitors will see an error message even when attempting to connect over HTTP.

Here is a simple example, that you should add to your .htaccess:

<IfModule mod_headers.c>
  # https://cylab.be/blog/156/force-https-with-http-strict-transport-security-hsts
  Header set Strict-Transport-Security "max-age=604800"
</IfModule>

It will force https for 1 week (604800 seconds).

This blog post is licensed under CC BY-SA 4.0