HSTS (HTTP Strict Transport Security) is a security policy for a website that helps to defend websites against protocol downgrade attacks and cookie hijacking.
It allows web servers to declare that web browsers should interact with the website using only secure HTTPS connections, and never via the insecure HTTP protocol. HSTS is an IETF track protocol and is specified in RFC 6797.
Note: To enable HSTS for your site, you must have a valid SSL certificate already installed and activated. in case you do not have a valid SSL, and you enable HSTS anyway, visitors will be unable to access your site.
Applies to: Linux Hosting, VPS Hosting and Dedicated Servers with CentOS.
- navigate to the ~/public_html directory using FTP or Cpanel FileManager.
- look .htaccess file and if not present create it. Open the file to edit.
- Copy the following line, and then paste it into the .htaccess file:
Header set Strict-Transport-Security "max-age=31536000" env=HTTPS
- Save your changes to the .htaccess file. HSTS is now enabled for your site.