Require HTTPS with the HSTS Header

Enforce HTTPS communications on supported browsers using the HTTP Strict Transport Security header.


After you have required HTTPS for all pages by adding the necessary redirect, set the HTTP Strict Transport Security (HSTS) header to standardize all client connections on HTTPS and prevent use of HTTP.

Not only does this header help you get an A+ SSL rating from SSL Labs, it will help protect your website against protocol downgrade attacks and cookie hijacking.

Deploy and Configure a HSTS Header by Module or Plugin

The HTTP Strict-Transport-Security response header (often abbreviated as HSTS) is a website security feature that tells browsers to only communicate using HTTPS, instead of HTTP.

Install and activate the LH HSTS plugin using the WordPress Dashboard (/wp-admin/plugin-install.php?tab=search&s=lh+hsts) or with Terminus:

terminus remote:wp <site>.<env> -- plugin install lh-hsts --activate

Once enabled, the following header will be sent in responses:

Strict-Transport-Security: max-age=15984000; includeSubDomains; preload

Nested Docroot

Site's using our nested docroot feature to serve WordPress from a subdirectory will experience a redirect loop upon activation of the LH HSTS plugin:

LH HSTS redirect loop on nested docroot

There is an open issue to address the problem with currently no known workaround.

As an alternative for sites served from a subdirectory, we recommend disabling the LH HSTS plugin and using a custom PHP function to send the HSTS header:

/**
*
* Example custom function to add the HSTS header while rendering a response.
*
**/
add_action( 'send_headers', 'add_header_hsts' );
function add_header_hsts() {
    header('Strict-Transport-Security: max-age=15984000; includeSubDomains; preload');
}

See the WordPress documentation for more details.

  1. Install the HTTP Strict Transport Security module using the Drupal interface or with Terminus:

    terminus remote:drush <site>.<env> -- pm-enable hsts --yes
    
  2. Visit the module configuration page (/admin/config/system/hsts).

  3. Check the Enable HTTP Strict Transport Security checkbox, set Max Age to at least 1 year and click Save Configuration.

Once installed and configured, the following header will be sent in responses:

strict-transport-security: max-age=31536000
  1. Install the HTTP Strict Transport Security module using the Drupal interface or with Terminus:

    terminus remote:drush <site>.<env> -- pm-enable hsts --yes
    
  2. Visit the module configuration page (/admin/config/security/hsts).

  3. Check the Enable HTTP Strict Transport Security checkbox, set Max Age to 15552000 and click Save Configuration.

Once installed and configured, the following header will be sent in responses:

strict-transport-security: max-age=15552000

HSTS Header Configuration Attributes

Once you've installed the module or plugin you plan to use, you should immediately configure the strict-transport-security header attributes as appropriate for your site. There are three attributes you should configure for the strict-transport-security header:

max-age=<expire-time>
The time, in seconds, that the browser should remember that this site is only to be accessed using HTTPS. You might want to set the max-age to as low as 5 minutes or 1 day as you first add and configure the HSTS header so that you can check that your site does not exhibit any unexpected access issues. With a very low max-age you can change the settings quickly until you complete testing. Then you would more optimally set the max-age to 1 year or even two years.
includeSubDomains
Optional, but usually advisable to use this attribute. If this optional parameter is specified, your HSTS header applies to all of your site's subdomains as well. If you do not use the includeSuDomains attribute, your site may still have unintended security issues exposed when users access subdomains of your site.
preload
An important to understand, but optional attribute supported by all modern major browsers. Optimally, you should only add the preload attribute after you have tested your site using your HSTS header configured with max-age and includeSubDomains. The preload list is a list of domains baked into browsers that a browser consults before sending a request for a site. If your site is in the preload list, all requests for your site will be sent via HTTPS no matter what the user types into the browser address bar and this will occur even before the browser first ever sees your site's actual HSTS header. Here is where you add your site to the preload list.

How you configure or include these attributes raises the rigor of the security that your HSTS effort provides. Here is a great overview of how and why to use the above noted attributes.

Lastly, as an example, this is the strict-transport-security header as it is implemented by the United States Whitehouse.gov site (it uses preload, a one-year max-age, and includeSubDomains):

Strict-Transport-Security: max-age=31536000;includeSubdomains;preload

See Also

For additional details on this header, see: