How to enable HSTS and Security Response Headers
Posted by Tegan King on 26 April 2019 01:23 PM
|
|
HSTS and other security response headers are web page headers that convey details to the browser to enforce security settings. It is recommended that you enable them. Please use the instructions below for your type of web hosting plan Linux or Windows. Linux AccountsENABLING HSTS (Linux Hosting) The HSTS header automatically changes insecure requests (http://) to secure requests (https://). This is done following the first visit to the page so you will still need to add a 301 redirect to force the site into SSL (on the first hit). To do this we must add a strict-transport-security header. To enable HSTS for your site, follow these steps:
ENABLING SECURITY HEADERS USING .HTACCESS (Linux Hosting) The following security headers will enable cross-site-scripting (XSS) protection, prevent click-jacking, and set content types that are supported to the browser. First, let's combine them into a single, code snippet. Add that to your site's root .htaccess. These are the most basic options and we do advise learning more about security headers.
The content-security-policy line above can be removed if it is causing problems on your website. The policy states that only scripts from your own domain are allowed on your site so it is fairly restrictive. We suggest learning more about content-security-policy.
Windows Accounts:ENABLING HSTS (Windows Hosting) The HSTS header automatically changes insecure requests (http://) to secure requests (https://). This is done following the first visit to the page so you will still need to add a 301 redirect to force the site into SSL (on the first hit). To do this we must add a strict-transport-security header. To enable HSTS for your site using web.config, follow these steps:
ENABLING SECURITY RESPONSE HEADERS (Windows Hosting) Add these Security Response Headers in the Web.Config. You would need to replace yourdomain.com in this rule with the domain you would be using this rule for.
The content-security-policy line above can be removed if it is causing problems on your website. The policy states that only scripts from your own domain are allowed on your site so it is fairly restrictive. We suggest learning more about content-security-policy. Contact Support If you are still having issues, please contact us for further help.
| |
|