Configure HTTP Strict Transport Security HSTS htaccess

I configured my site for HTTP Strict Transport Security (HSTS) a while back and being satisfied it was all running OK I figured it was about time I configure my site to be preloaded in popular browsers. When I went to the hstspreload.org website to submit my site I received an interesting message –

Unnecessary HSTS header over HTTP Warning

Unnecessary HSTS header over HTTP Warning – basically my htaccess file is setting the HSTS header on all requests and this should not be sent over an HTTP channel. I went digging around to see what the easiest and best way to resolve this would be and found a nice environment variable: env=HTTPS

My htaccess HTTP header initially looked like this –

The new environment variable was added to this existing header to give me the following final output –

Note that the variable is outside the quoted ” ” section of the HTTP header. Once I saved my file and checked the preload site again I was thankful to see everything now showed as expected.

HSTS header over HTTP Preload Eligible

With all being good in the world I submitted my site and now all I have to do is make sure things stay over HTTPS at all times, which honestly won’t be hard as I have no intention of using HTTP.

HSTS Preload Success

 

Leave a Reply