How do I use HSTS?
You can also use HSTS when using a secure connection via HTTPS. HSTS is a security mechanism that protects https websites against downgrade attacks on the protocol. This prevents any unsecured connection.
Important
In this article we use a .htaccess file to use HSTS automatically. You must set this file per website (ie per domain and subdomain). It is important that you already force HTTPS. You place the code that we discuss in this article under the rules of forcing HTTPS.
For more information see: How do I automatically use HTTPS?
Steps
Step 1. Follow steps 1 to 4 of the step-by-step plan for HTTPS and continue with the step below.
Step 2a. Paste the following code into the .htaccess file:
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age = 31536000; includeSubDomains" env = HTTPS
Header set X-Frame-Options "ALLOW-FROM SAMEORIGIN"
Header set X-Content-Type-Options nosniff
Header set X-XSS-Protection "1; mode = block"
Header set Referrer-Policy "no-referrer-when-downgrade"
Header always edit Set-Cookie (. *) "$ 1; HTTPOnly; Secure"
</IfModule>
Step 2b (optional). Content-Security-Policy is an extra security layer that indicates which external scripts may be loaded on the website. All external scripts that are invoked but not defined herein may not be loaded. This can be done by adding the following code in the .htaccess file:
<IfModule mod_headers.c>
Header set Content-Security-Policy "default-src 'self'"
</IfModule>
Note: This means that all external scripts such as Google analytics, Cloudflare, the Neostrada Captcha protection, external CSS and other services no longer work unless you manually add them to the record such as:
Header set Content-Security-Policy "default-src 'self' www.google-analytics.com * .cloudflare.com * .gstatic.com captcha.totaalholding.nl;"
Step 3. At the top right, click Save Changes. Web browsers will now only be able to use secure HTTPS connections, and never the insecure HTTP protocol.
To test the result you can use a check such as securityheaders.com.
Explanation HSTS
Below we explain the operation of the lines of code that appear between the IfModule tags in step 2a. Line 1 is therefore about "Header always set Strict -...", Line 2 is about "Header set X-Frame-Options DENY", etc.
Line 1: Enable HSTS on the domain so that it is always loaded over HTTPS. This also applies to subdomains provided that the code is applied there in the htaccess. The max-age = 31536000 sets this for 1 year. You can adjust this to for example 2 years by changing the number to 63072000.
Line 2: Prevents your website from being enclosed in <frame>, <iframe> or <object>. If your website depends on this, it is best to omit this rule.
Line 3: MIME type sniffing is disabled, this for example prevents Internet Explorer from executing an .img url as javascript.
Line 4: Enable the IE8 and IE9 XSS prevention tools, this prevents cross-site scripting.
Line 5: Ensures that when a visitor clicks on a link to an http website, the HTTPS URL of the website is not included. This would otherwise be a security vulnerability because the HTTPS URL schema path is being sent over the internet unsecured.
Line 6: The purpose of the secure flag is to prevent cookies from being viewed by unauthorized parties because the cookie is sent unsecured.