InMotion Hosting Support Center

HSTS (HTTP Strict Transport Security) protects users from cookie hijacking and protocol downgrade attacks by forcing browsers to request HTTPS pages from your domain. HSTS is similar to a 301 redirect from HTTP to HTTPS but at the browser level.

Note: Cloudflare users can easily enable HSTS within its dashboard.

There may be a specific HSTS configuration appropriate for your website. The following are less secure options and preload-ineligible as first-time traffic to your site will be able to use insecure HTTP:

Strict-Transport-Security: max-age=10886400;
Strict-Transport-Security: max-age=10886400; includeSubDomains

A breakdown of the header:

Strict-Transport-Security Forces HSTS on the domain
max-age How long the header should be active in seconds
includeSubDomains Includes subdomains
preload Authorizes preload listing if eligible (covered below)

Below we'll cover adding the most secure HSTS configuration using the .htaccess file and submitting your domain to the Chrome preload list maintained by Google.

Warning:Once enabled, HSTS disallows the user from overriding an invalid or self-signed certificate message. Your website will be inaccesible without a valid SSL.

Enable HSTS for Preloading

  1. Using SSH or cPanel File Editor, edit your .htaccess file.
  2. Add the following line to your .htaccess file:

    <IfModule mod_headers.c>
    Header set Strict-Transport-Security "max-age=10886400; includeSubDomains; preload"
    </IfModule>

    Note: The expiry must be at least 18 weeks (10886400 seconds).

  3. To submit your domain for preloading, visit Hstspreload.org.
  4. Type your domain and Check HSTS preload status and eligibility.
  5. The background will turn green or red depending on the results.

    Eligible:

    Site eligible for preloading

    Ineligible:

    Site ineligible for preloading

  6. Fix the errors and/or submit your domain for preloading.

After submitting your domain for HSTS preloading, it can take 2-6 months for your domain to be accepted and then listed in the latest browser versions. You can read more about the preload process at hstspreload.org and browsers supporting HSTS at Caniuse.com.

Was this article helpful?

Related Questions

Here are a few questions related to this article that our customers have asked:
Ooops! It looks like there are no questions about this page.
Would you like to ask a question about this page? If so, click the button below!
Ask a Question

Forum Login

You are NOT logged in. You can still browse our Support Center.

To participate within our Community Support Forum:

Post a Comment

Name:
Email Address:
Phone Number:
Comment:
Submit

Please note: Your name and comment will be displayed, but we will not show your email address.

0 Questions & Comments

Post a comment

Back to first comment | top

Need more Help?

Search

Ask the Community!

Get help with your questions from our community of like-minded hosting users and InMotion Hosting Staff.

Current Customers

Chat: Click to Chat Now E-mail: support@InMotionHosting.com
Call: 888-321-HOST (4678) Ticket: Submit a Support Ticket

Not a Customer?

Get web hosting from a company that is here to help. Sign up today!