What are HSTS Headers?
For the purpose of explaining these, let’s say your in a coffee shop or cafe with free wifi, where they give you the wifi password and never change it. This is an example of an unsafe network. A hacker could easily set up the network so when someone tries to sign in to your site’s portal, they will be able to in fact redirect their victim to their own phishing site which looks exactly like yours, only when the victim logs in, their login details are sent straight to the naughty hacker.
This is why HTTP Secure Transport Security (HSTS) is essential for sites using a portal or any kind of ordering.
Adding HSTS Headers
Step 1. Login to your cPanel
If you are unsure on how to do this see our guide on logging into the control panel.
Step 2. Locate your sites ‘.htaccess’ file
On cPanel, select ‘File Manager’.
Now in the file manager you need to find the file for your site, once you have done this, click the link of your sites address.
On the right of the page, all the web page files should appear, find and locate the document called ‘ .htaccess’.
Right click and press ‘Edit’.
This will now take you to an editor for part of your site’s code.
If you are struggling to find it you may need to enter settings and press “view hidden files”.
At the top of the page you need to add:
# HSTS # The following header will redirect users to the secure site, using https # Redirects must be set up also to allow this to work Header always set Strict-Transport-Security "max-age=31536000" env=HTTPS
Once you have done this, press ‘Save Changes’ and go back to the main Control Panel.
Step 3. Setting up HTTP to HTTPS Redirect
From the Control Panel, under the heading ‘Domains‘ click ‘Redirects’.
Now you need to add a redirect. To do this you need to select the site you are going to add the HSTS to in the box beneath ‘https?://(www.)?’.
Then you need to add the ‘Redirects to’ address. So beneath this heading write in your site’s address but with ‘https://’ in front of it.
Once you have done this click ‘Add’ at the bottom.
HSTS should now be fully set up on your site. Access to your site should now always be secure.