Adding HSTS (HTTP Strict Transport Security) in Drupal 8 forces web browsers to only load your website with a valid SSL certificate. This improves Drupal security against downgrade attacks and similar man-in-the-middle (MITM) attacks. HSTS is similar to a HTTP to HTTPS redirect but within the browser.
Below we’ll cover how to install the Security Kit module and enable HSTS.
Warning: Once enabled, HSTS disallows the user from overriding an invalid or self-signed certificate message. Your website will be inaccessible without a valid SSL.
Install Security Kit
- Login to Drupal.
- Install the Drupal module using the Security Kit download link.
- Click Install at the bottom.
- Click Configuration at the top.
- Under System, Click Security Kit settings.
- Click SSL/TLS to see HSTS settings.
- Check the box for HTTP Strict Transport Security.
- Specify the Max-age (in seconds) for how long the header should remain active.
- (Optional) Check the box to Include Subdomains for this domain.
- (Optional) Check Preload if you plan to submit your domain to the HSTS preload list after saving these changes.
- At the bottom, click Save configuration.
Get high performance and security with our VPS Drupal Hosting.