Configure HTTP Strict Transport Security HSTS htaccess

I configured my site for HTTP Strict Transport Security (HSTS) a while back and being satisfied it was all running OK I figured it was about time I configure my site to be preloaded in popular browsers. When I went to the website to submit my site I received an interesting message –

Unnecessary HSTS header over HTTP Warning

Unnecessary HSTS header over HTTP Warning – basically my htaccess file is setting the HSTS header on all requests and this should not be sent over an HTTP channel. I went digging around to see what the easiest and best way to resolve this would be and found a nice environment variable: env=HTTPS

My htaccess HTTP header initially looked like this –

Header always set Strict-Transport-Security "max-age=31536000; preload; includeSubDomains"

The new environment variable was added to this existing header to give me the following final output –

Header always set Strict-Transport-Security "max-age=31536000; preload; includeSubDomains" env=HTTPS

Note that the variable is outside the quoted ” ” section of the HTTP header. Once I saved my file and checked the preload site again I was thankful to see everything now showed as expected.

HSTS header over HTTP Preload Eligible

With all being good in the world I submitted my site and now all I have to do is make sure things stay over HTTPS at all times, which honestly won’t be hard as I have no intention of using HTTP.

HSTS Preload Success


6 thoughts on “Configure HTTP Strict Transport Security HSTS htaccess”

  1. Recheck your domain again as I see “Error: Max-age too low
    The max-age must be at least 31536000 seconds (≈ 1 year), but the header currently only has max-age=15552000.” while scanning your website URL.

    • Thanks for coming to Gondors aid Rohan, looks like my Cloudflare setting was different to my htAccess file. This should be updated in the next hour or so and show a 12 month value again.

      • The value is:
        Header always set Strict-Transport-Security “max-age=63072000; includeSubDomains; preload” env=HTTPS

        • That ‘Header’ entry looks ok to me – in fact other frequently used sites to test all seem happy with it as well. Interestingly the HSTS preload site thinks you don’t have a HTTP>HTTPS redirect in place. It looks like you do though so I’m curious why it is flagging that. When I check the site this is what it shows me –

          Error: HTTP redirects to www first
          `` (HTTP) should immediately redirect to `` (HTTPS) before adding the www subdomain. Right now, the first redirect is to ``. The extra redirect is required to ensure that any browser which supports HSTS will record the HSTS entry for the top level domain, not just the subdomain.
          Error: Insecure redirect
          `` redirects to an insecure page: ``

          How do you have your redirect setup at the moment, are you going through a CDN or just direct to your host site?


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.