6.1.8 How to enable HSTS for your site

TheHost HSTS Banner EN

HSTS (HTTP Strict Transport Security) — is a web security mechanism that allows a website to declare that it should only be accessed via a secure HTTPS connection. In other words, once HSTS is enabled, a browser that has visited the site will only connect to it via HTTPS in the future and will automatically redirect all attempts to access it through unsecured HTTP to HTTPS. This helps protect users and the website from attacks like “SSL stripping” and “downgrade attacks”, particularly from security downgrades (switching from HTTPS to HTTP) and session cookie hijacking. In this guide, we will explain how to enable HSTS in an Nginx configuration. HSTS is defined as an IETF (RFC 6797) standard.

Advantages of HSTS
  • Protections agains attacks. After the first visit via HTTPS, the browser blocks any HTTP requests, preventing security downgrades;
  • Ensures a secure connection. The user cannot ignore certificate errors, making website spoofing impossible;
  • Automatic transition to HTTPS. Even if the user enters the address without a protocol or with http://, the browser will automatically change it to https://;
  • Faster loading. Eliminates the need for an additional 301 redirect from HTTP to HTTPS, saving time;
  • Enhanced security level. Many analytics services assess the presence of HSTS as a website reliability indicator.
HSTS Limitations and Risks

Important: When adding an HSTS header, your website will be cached on the client side. If you decide to remove it before max-age expires, your website will be inaccessible to those same clients until the browser resets its HSTS policy (explained below);

  • Does not protect the first visit. Until a user accesses the site via HTTPS for the first time, the initial request is vulnerable to attacks. The solution is the HSTS Preload List, which adds the site to protected domain lists in browsers (explained later);
  • Misconfigurations can block access. If includeSubDomainsis enabled but some subdomains do not support HTTPS, they will become inaccessible;
  • Dependency on SSL certificates. If the certificate expires or is misconfigured, the site will become completely inaccessible;
  • Potential for tracking (supercookies). Attackers can create a unique browser fingerprint based on HSTS;
  • Does not protect against HTTPS/TLS attacks. HSTS only enforces HTTPS usage but does not eliminate cryptographic vulnerabilities in SSL/TLS itself.

Server Preparation

Important: Before configuring HSTS, ensure that:

  • An SSL-certificate is installed and the site runs over the HTTPS protocol. протоколу;
  • The Nginx web server is installed and properly configured;
  • You have root access. If you are a client of our shared-hosting and do not have root access, HSTS can be enabled by contacting Support.

Before making any changes, it is recommended to update your system. This can be done using one of the following commands, depending on the operating system:

Example for Debian/Ubuntu 
sudo apt update
sudo apt upgrade -y
Example for CentOS/AlmaLinux/RockyLinux 
sudo dnf update -y

Configuring HSTS in Nginx

HSTS is a web server policy, and enabling it requires modifying the Nginx configuration file. Before making any changes, it is advisable to back up the configuration or the entire system.

1. Open the Nginx configuration file:

sudo nano /etc/nginx/sites-available/default
# or
# Replace `example.com` with your domain
sudo nano /etc/nginx/sites-available/example.com

Tip: If you are using a virtual or dedicated server with ISPManager4, you can edit the Nginx configuration for your domain as follows:

ISPManager4, Config Nginx

2. Add the following inside the server {} block:

/etc/nginx/sites-available/example.com
 server {
   listen 443 ssl;
   server_name www.example.com;
   # This header instructs the browser to enforce HTTPS for the specified duration max-age=31536000.
   add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
   }

Breakdown of HSTS parameters:

  • max-age=31536000 – Sets the HSTS header duration in seconds. For example, max-age=31536000 configures it for 31,536,000 seconds (~1 year).
  • includeSubDomains – (Optional) Extends HSTS protection to all subdomains (subdomain.example.com, www.example.com, etc.).
  • preload – An indicator that designates the domain for inclusion in the browser’s HSTS Preload List. While it doesn’t take effect immediately, it is required for submission (detailed below).
  • always – Ensures the header is included in all responses.

Verification and Testing

After configuring HSTS, it’s crucial to test the site and ensure it functions correctly. For additional security, you can register the site in the HSTS Preload List.

Checking the Nginx Configuration

  1. sudo nginx -t

If no errors are found, restart the server:

  1. sudo systemctl restart nginx

Checking HSTS Headers

Run the curl command::

  1. curl -I https://example.com | grep strict-transport-security

Expected response using the example values:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload"always;

Common Errors and Solutions

Error: nginx: [emerg] unknown directive "add_header"

Solution:

  • Ensure Nginx is installed with the headers module Nginx (--with-http_headers_module).
  • Check the configuration for syntax errors (nginx -t).
HSTS header missing in response Solution:

Solution:

  • Verify that HTTPS is working correctly.
  • Ensure the Strict-Transport-Security header is added inside server { listen 443 ssl; }.
Website no longer works over HTTPS

Solution: This is normal HSTS behavior. Use a browser command to reset HSTS policies, for example:

  • In Chrome: chrome://net-internals/#hsts
  • In Firefox: about:support → “Clear Recent History” (Cookies + Cache).