Search the CLDY knowledge base

Updated on January 9, 2023

What is HSTS and How To Force HSTS for Website Security

If a website visitor comes to your site and sees “Not secure”, they are more likely to leave and close the page right away. Security is one of those things that are highly important to all users, and should always be a priority when developing your website. That is why forcing HSTS (HTTP Strict Transport Security) is a great practice to always ensure a secure connection. How do you do it? Read on to learn our simple steps.

But first, let’s get acquainted with what HSTS is and how it works.

 

What is HSTS

Aside from validating your SSL certificates, forcing HSTS is another way to ensure that your website will always be deemed secure by Google Chrome and other browsers.

In order to force HSTS, you must have the following:

  • A valid SSL certificate from a trusted authority
  • A .htaccess file that contains a specific header for HSTS configuration

We will dive into the second point, which is adding an HSTS header on your .htaccess file.

 

How to Force HSTS for Increase Website Security

1. Log in to your cPanel dashboard.

2. Go to the Files block, and click on File Manager.

cpanel dashboard files - file manager

 

3. The .htaccess file may be under hidden files, so make sure to go to Settings at the top right corner of the screen, and tick the box for Show Hidden Files (dotfiles). Then click on Save.

cpanel file manager settings show hidden files

 

4. You will notice there will be additional folders visible on your screen. Look for the .htaccess file and right-click, then select Edit.

htaccess file right click edit

 

5. A dialog box will appear to confirm that you will be making changes to the .htaccess file. Click on Edit to continue.

htaccess file confirm edit

 

6. The file will then open on a new window. Simply copy this line and paste to the header of the text:
Header set Strict-Transport-Security “max-age=10886400; includeSubDomains; preload”

7. Click on Save Changes, then Close.

8. To confirm if the HSTS header has been enforced correctly, go to https://hstspreload.org/. Enter your domain and click on Check HSTS preload status and eligibility.

  • The page will turn red or green based on the results. Look into the corresponding improvements that are needed to make sure that the HSTS header is detected properly. 

 

Still can't find what you're looking for?