I configured my site for HTTP Strict Transport Security (HSTS) a while back and being satisfied it was all running OK I figured it was about time I configure my site to be preloaded in popular browsers. When I went to the hstspreload.org website to submit my site I received an interesting message –
Unnecessary HSTS header over HTTP Warning – basically my htaccess file is setting the HSTS header on all requests and this should not be sent over an HTTP channel. I went digging around to see what the easiest and best way to resolve this would be and found a nice environment variable: env=HTTPS
My htaccess HTTP header initially looked like this –
1 | Header always set Strict-Transport-Security "max-age=31536000; preload; includeSubDomains" |
The new environment variable was added to this existing header to give me the following final output –
1 | Header always set Strict-Transport-Security "max-age=31536000; preload; includeSubDomains" env=HTTPS |
Note that the variable is outside the quoted ” ” section of the HTTP header. Once I saved my file and checked the preload site again I was thankful to see everything now showed as expected.
With all being good in the world I submitted my site and now all I have to do is make sure things stay over HTTPS at all times, which honestly won’t be hard as I have no intention of using HTTP.
Recheck your domain again as I see “Error: Max-age too low
The max-age must be at least 31536000 seconds (≈ 1 year), but the header currently only has max-age=15552000.” while scanning your website URL.
Thanks for coming to Gondors aid Rohan, looks like my Cloudflare setting was different to my htAccess file. This should be updated in the next hour or so and show a 12 month value again.