Add HSTS in Drupal 8 with the Security Kit Module

Date: December 4, 2019          1 Minute to Read

Adding HSTS (HTTP Strict Transport Security) in Drupal 8 forces web browsers to only load your website with a valid SSL certificate. This improves Drupal security against downgrade attacks and similar man-in-the-middle (MITM) attacks. HSTS is similar to a HTTP to HTTPS redirect but within the browser.

Below we’ll cover how to install the Security Kit module and enable HSTS.

Warning: Once enabled, HSTS disallows the user from overriding an invalid or self-signed certificate message. Your website will be inaccessible without a valid SSL.

Install Security Kit

  1. Login to Drupal.
  2. Install the Drupal module using the Security Kit download link.
  3. Click Install at the bottom.
  4. Click Configuration at the top.

Enable HSTS

  1. Under System, Click Security Kit settings.
  2. Click SSL/TLS to see HSTS settings.
  3. Check the box for HTTP Strict Transport Security.
  4. Specify the Max-age (in seconds) for how long the header should remain active.
  5. (Optional) Check the box to Include Subdomains for this domain.
  6. (Optional) Check Preload if you plan to submit your domain to the HSTS preload list after saving these changes.
  7. At the bottom, click Save configuration.
HSTS with Security Kit
Use the checkboxes to easily configure HSTS or click the clicks to learn more

Get high performance and security with our VPS Drupal Hosting.

Leave a Reply