Knowledge Base

How to manage HTTP Strict Transport Security (HSTS) for your site

This article discusses HTTP Strict Transport Security (HSTS) and how to manage it for your site.

About HSTS

HTTP Strict Transport Security (HSTS) instructs web browsers to only use secure connections (https://) for all future requests when communicating with a web site. Doing so helps prevent SSL protocol attacks, SSL stripping, cookie hijacking, and other attempts to circumvent SSL protection.

Managing HSTS on Linux

By default, HSTS is enabled on all Linux-based managed hosting accounts. You do not need to take any additional steps to use HSTS with your site.

However, there may be scenarios where you want to disable HSTS for your site, such as during site development or testing. To do this, follow these steps:

  1. Using SSH, the cPanel File Manager, or the Plesk File Manager, navigate to the document root of your site (usually the public_html folder).
  2. Use your preferred text editor to open the .htaccess file.
    If the .htaccess file does not already exist, create it.
  3. Copy the following line, and then paste it into the .htaccess file:
    Header always unset Strict-Transport-Security
  4. Save your changes to the .htaccess file. HSTS is now disabled for your site.

Managing HSTS on Windows

By default, HSTS is not enabled on Windows hosting accounts.

To enable HSTS for your site, you must have a valid SSL certificate already installed and activated. If you do not, and you enable HSTS anyway, visitors will be unable to access your site.

To enable HSTS for your site, follow these steps:

  1. Using the Plesk File Manager, navigate to the document root of your site.
  2. Click the web.config file to open it in the file editor.
  3. There is a specific location to enter the settings for HSTS, and it is different depending on the existing contents of the web.config file. Please carefully review each of the three scenarios below, and then select the correct one for your situation:
    1. If the web.config file is empty, paste the entire code below into the editor and click Apply:
      <?xml version="1.0" encoding="UTF-8"?>
      <configuration>
          <system.webServer>
              <rewrite>
                  <rules>
                      <rule name="HTTP to HTTPS redirect" stopProcessing="true">
                          <match url=".*" />
                          <conditions>
                              <add input="{HTTPS}" pattern="off" ignoreCase="true" />
                          </conditions>
                          
      <action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" redirectType="Permanent" />
                      </rule>
                  </rules>
                  <outboundRules>
                      <rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
                          <match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
                          <conditions>
                              <add input="{HTTPS}" pattern="on" ignoreCase="true" />
                          </conditions>
                          <action type="Rewrite" value="max-age=31536000; includeSubDomains; preload" />
                      </rule>
                  </outboundRules>
              </rewrite>
          </system.webServer>
      </configuration>
    2. If the web.config file is not empty, look for the <system.webServer> section. If there is no <system.webServer> section, paste the highlighted red section as shown:

      <?xml version="1.0" encoding="UTF-8"?>
      <configuration>
          <other items>
         </other items>
          <system.webServer>
              <rewrite>
                  <rules>
                      <rule name="HTTP to HTTPS redirect" stopProcessing="true">
                          <match url=".*" />
                          <conditions>
                              <add input="{HTTPS}" pattern="off" ignoreCase="true" />
                          </conditions>
                          <action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}"
                              redirectType="Permanent" />
                      </rule>
                  </rules>
                  <outboundRules>
                      <rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
                          <match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
                          <conditions>
                              <add input="{HTTPS}" pattern="on" ignoreCase="true" />
                          </conditions>
                          <action type="Rewrite" value="max-age=31536000; includeSubDomains; preload" />
                      </rule>
                  </outboundRules>
              </rewrite>
          </system.webServer>
      </configuration>
    3. Finally, if the web.config file is not empty, and there is a <system.webServer> section, paste the highlighted red section as shown:

      <?xml version="1.0" encoding="UTF-8"?>
      <configuration>
          <other items>
          </other items>
          <system.webServer>
              <other items>
              </other items>
              <rewrite>
                  <rules>
                      <rule name="HTTP to HTTPS redirect" stopProcessing="true">
                          <match url=".*" />
                          <conditions>
                              <add input="{HTTPS}" pattern="off" ignoreCase="true" />
                          </conditions>
                          <action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}"
                              redirectType="Permanent" />
                      </rule>
                  </rules>
                  <outboundRules>
                      <rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
                          <match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
                          <conditions>
                              <add input="{HTTPS}" pattern="on" ignoreCase="true" />
                          </conditions>
                          <action type="Rewrite" value="max-age=31536000; includeSubDomains; preload" />
                      </rule>
                  </outboundRules>
              </rewrite>
          </system.webServer>
      </configuration>

More Information

For more information about HSTS, please visit https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security.