HSTS and other security response headers are web page headers that convey details to the browser to enforce security settings. It is recommended that you enable them. The below instructions will assist you in enabling these settings for either your Linux (DirectAdmin & cPanel) or Windows (SolidCP) hosting.
Linux Hosting
How to enable HSTS (Linux Hosting)
The HSTS header automatically changes insecure requests (http) to secure requests (https). This is done after the first visit to the webpage so you will still need to add a 301 redirect to force the site into SSL (on the first visit). To do this you will need to add a strict-transport-security header.
To enable HSTS for your website, follow the below steps.
- Log into your hosting control panel. (DirectAdmin or cPanel)
- Navigate to your /public_html directory within your file manager.
- Edit the .htaccess file or create a new one.
- Copy the code below, and then paste it into the .htaccess file.
- Save your changes to the .htaccess file.
- HSTS is now enabled for your site.
Header set Strict-Transport-Security "max-age=31536000" env=HTTPS
How to enable security headers using .htaccess file (Linux Hosting)
The following security headers will enable cross-site-scripting (XSS) protection, prevent click-jacking, and set content types that are supported to the browser.
We have combined these into a single code snippet. Add the below code to your websites root .htaccess file. These are the most basic options.
#Security Headers
<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
Header always append X-Frame-Options SAMEORIGIN
Header set X-Content-Type-Options nosniff
Header set Content-Security-Policy "default-src 'self'"
</IfModule>
The content-security-policy line in the above code can be removed if it causes problems on your website. The policy states that only scripts from your own domain are allowed on your site so it is fairly restrictive. You can learn more about this at content-security-policy.
Windows Hosting
ENABLING HSTS (Windows Hosting)
The HSTS header automatically changes insecure requests (http) to secure requests (https). This is done after the first visit to the webpage so you will still need to add a 301 redirect to force the site into SSL (on the first visit). To do this you will need to add a strict-transport-security header.
To enable HSTS for your website, follow the below steps.
- Log into your hosting control panel. (SolidCP)
- Navigate to the wwwroot directory using the file manager.
- Edit the web.config file.
- Copy the code below, and then paste it into the web.config file.
- Add these rewrite rules to implement HTTPS and HSTS in the Web.Config for any domain. This particular example also enforces HTTPS using a redirect.
<system.webServer>
<rewrite>
<rules>
<rule name="Redirect HTTP to HTTPS" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
</rule>
</rules>
<outboundRules>
<rule name="Add the STS header in HTTPS responses">
<match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
<conditions>
<add input="{HTTPS}" pattern="on" />
</conditions>
<action type="Rewrite" value="max-age=31536000" />
</rule>
<rule name="Remove Server header">
<match serverVariable="RESPONSE_Server" pattern=".+" />
<action type="Rewrite" value="" />
</rule>
</outboundRules>
</rewrite>
</system.webServer>
How to enable security response headers (Windows Hosting)
Add these Security Response Headers to the Web.Config file. You will need to replace yourdomain.com in this rule with the domain you are using this rule for.
<httpProtocol>
<customHeaders>
<remove name="X-Powered-By" />
<add name="Content-Security-Policy" value=" default-src 'self' 'unsafe-eval' 'unsafe-inline' *.yourdomain.com;"></add>
<add name="X-Frame-Options" value="SAMEORIGIN"></add>
<add name="X-XSS-Protection" value="1; mode=block" />
<add name="X-Content-Type-Options" value="nosniff" /
<add name="Content-Security-Policy" value="default-src 'self';" />
</customHeaders>
</httpProtocol>
The content-security-policy line in the above code can be removed if it causes problems on your website. The policy states that only scripts from your own domain are allowed on your site so it is fairly restrictive. You can learn more about this at content-security-policy.