Configure HTTP Strict Transport Security HSTS htaccess

I configured my site for HTTP Strict Transport Security (HSTS) a while back and being satisfied it was all running OK I figured it was about time I configure my site to be preloaded in popular browsers. When I went to the hstspreload.org website to submit my site I received an interesting message –

Unnecessary HSTS header over HTTP Warning

Unnecessary HSTS header over HTTP Warning – basically my htaccess file is setting the HSTS header on all requests and this should not be sent over an HTTP channel. I went digging around to see what the easiest and best way to resolve this would be and found a nice environment variable: env=HTTPS

My htaccess HTTP header initially looked like this –

The new environment variable was added to this existing header to give me the following final output –

Note that the variable is outside the quoted ” ” section of the HTTP header. Once I saved my file and checked the preload site again I was thankful to see everything now showed as expected.

HSTS header over HTTP Preload Eligible

With all being good in the world I submitted my site and now all I have to do is make sure things stay over HTTPS at all times, which honestly won’t be hard as I have no intention of using HTTP.

HSTS Preload Success

 

2 thoughts on “Configure HTTP Strict Transport Security HSTS htaccess

  1. Recheck your domain again as I see “Error: Max-age too low
    The max-age must be at least 31536000 seconds (≈ 1 year), but the header currently only has max-age=15552000.” while scanning your website URL.

    • Thanks for coming to Gondors aid Rohan, looks like my Cloudflare setting was different to my htAccess file. This should be updated in the next hour or so and show a 12 month value again.

Leave a Reply