I configured my site for HTTP Strict Transport Security (HSTS) a while back and being satisfied it was all running OK I figured it was about time I configure my site to be preloaded in popular browsers. When I went to the hstspreload.org website to submit my site I received an interesting message –
Unnecessary HSTS header over HTTP Warning – basically my htaccess file is setting the HSTS header on all requests and this should not be sent over an HTTP channel. I went digging around to see what the easiest and best way to resolve this would be and found a nice environment variable: env=HTTPS
My htaccess HTTP header initially looked like this –
Header always set Strict-Transport-Security "max-age=31536000; preload; includeSubDomains"
The new environment variable was added to this existing header to give me the following final output –
Header always set Strict-Transport-Security "max-age=31536000; preload; includeSubDomains" env=HTTPS
Note that the variable is outside the quoted ” ” section of the HTTP header. Once I saved my file and checked the preload site again I was thankful to see everything now showed as expected.
With all being good in the world I submitted my site and now all I have to do is make sure things stay over HTTPS at all times, which honestly won’t be hard as I have no intention of using HTTP.