How to enable HSTS and Security Response Headers

HSTS and other security response headers are web page headers that convey details to the browser to enforce security settings. It is recommended that you enable them. Please use the instructions below for your type of web hosting plan Linux or Windows.

Linux Accounts

ENABLING HSTS (Linux Hosting)

The HSTS header automatically changes insecure requests (http://) to secure requests (https://). This is done following the first visit to the page so you will still need to add a 301 redirect to force the site into SSL (on the first hit). To do this we must add a strict-transport-security header.

To enable HSTS for your site, follow these steps:

1. Navigate to the ~/public_html directory.
2. Open the .htaccess file or create a new one.
3. Copy the code below, and then paste it into the .htaccess file.
4. Save your changes to the .htaccess file. HSTS is now enabled for your site.

Header set Strict-Transport-Security "max-age=31536000" env=HTTPS

ENABLING SECURITY HEADERS USING .HTACCESS (Linux Hosting)

The following security headers will enable cross-site-scripting (XSS) protection, prevent click-jacking, and set content types that are supported to the browser.

First, let's combine them into a single, code snippet. Add that to your site's root .htaccess. These are the most basic options and we do advise learning more about security headers.

#Security Headers

<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
Header always append X-Frame-Options SAMEORIGIN
Header set X-Content-Type-Options nosniff
Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' yourdomain.com"
Header set Referrer-Policy "strict-origin-when-cross-origin"
Header set Permissions-Policy "geolocation=(self), sync-xhr=(), microphone=(), camera=(), autoplay=()"
</IfModule>

Note: Change "yourdomain.com" to a list of all subdomains needed separated by a space. e.g. ephost.com www.ephost.com example.ephost.com.

The content-security-policy line above can be removed if it is causing problems on your website. The policy states that only scripts from your own domain are allowed on your site so it is fairly restrictive. We suggest learning more about content-security-policy.

Windows Accounts:

ENABLING HSTS (Windows Hosting)

The HSTS header automatically changes insecure requests (http://) to secure requests (https://). This is done following the first visit to the page so you will still need to add a 301 redirect to force the site into SSL (on the first hit). To do this we must add a strict-transport-security header.

To enable HSTS for your site using web.config, follow these steps:

1. Navigate to the wwwroot directory
2. Open the web.config file.
3. Copy the following lines into the web.config file. Add these rewrite rules to implement HTTPS and HSTS in the Web.Config for any domain. This particular example also enforces HTTPS using a redirect.

<system.webServer>
    <rewrite>
        <rules>
            <rule name="Redirect HTTP to HTTPS" stopProcessing="true">
                <match url="(.*)" />
                <conditions>
                    <add input="{HTTPS}" pattern="off" />
                </conditions>
                <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
            </rule>
        </rules>
        <outboundRules>
            <rule name="Add the STS header in HTTPS responses">
                <match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
                <conditions>
                    <add input="{HTTPS}" pattern="on" ignoreCase="true" />
                </conditions>
                <action type="Rewrite" value="max-age=31536000" />
            </rule>
            <rule name="Remove Server header">
                <match serverVariable="RESPONSE_Server" pattern=".+" />
                <action type="Rewrite" value="" />
            </rule>
        </outboundRules>
    </rewrite>
</system.webServer>

ENABLING SECURITY RESPONSE HEADERS (Windows Hosting)

Add these Security Response Headers in the Web.Config. You would need to replace yourdomain.com in this rule with the domain you would be using this rule for.

<httpProtocol>
    <customHeaders>
        <remove name="X-Powered-By" />
        <remove name="X-Powered-By-Plesk" />
        <add name="X-Frame-Options" value="SAMEORIGIN"></add>
        <add name="X-XSS-Protection" value="1; mode=block" />
        <add name="X-Content-Type-Options" value="nosniff" />
        <add name="Content-Security-Policy" value="default-src 'self' 'unsafe-inline' yourdomain.com;"></add>
        <add name="Referrer-Policy" value="strict-origin-when-cross-origin" />
        <add name="Permissions-Policy" value="geolocation=(self), sync-xhr=(), microphone=(), camera=(), autoplay=()" />
    </customHeaders>
</httpProtocol>

Note: Change "yourdomain.com" to a list of all subdomains needed separated by a space. e.g. ephost.com www.ephost.com example.ephost.com.

The content-security-policy line above can be removed if it is causing problems on your website. The policy states that only scripts from your own domain are allowed on your site so it is fairly restrictive. We suggest learning more about content-security-policy. 

Contact Support

If you are still having issues, please contact us for further help.
1-877-EPHOST1 | support@ephost.com