HTTP Strict Transport Security (HSTS) is a response header which ensures that browsers and user agents always connect to your WordPress blog over HTTPS even if a protocol is not specified.
It is works like a 301 redirect, but at the browser level.
HSTS header tells the browser to connect the current domain only over HTTPS.
This makes HSTS far better than 301 redirects, which are unsecure during their first visit.
Currently major browsers like Internet Explorer, Microsoft Edge, Google Chrome, Mozilla Firefox, Apple Safari, Opera support HTTP Strict Transport Security (HSTS).
Benefits of HTTP Strict Transport Security (HSTS)
- Helps prevent man-in-the-middle attacks and cookie hijacking.
- Helps avoid mixed content issue.
- Does not allow a user to override the invalid certificate warnings.
- Can be preloaded via browsers by listing your domain.
- To avoids insecure redirects from HTTP to HTTPS.
- Also improves WordPress blog speed by eliminating a redirect.
Enable HTTP Strict Transport Security (HSTS) on .htaccess
# Enable HSTS on WordPress blog
Header set Strict-Transport-Security "max-age=2592000; includeSubDomains; preload" env=HTTPS
“preload” adds your domain in browsers core configuration. Without preload, HSTS is only set after the first HTTPS request which a hacker can intercept. To avoid this situation, preload is must.
“env=HTTPS” ensures that HSTS is only enabled on secure [https] version and not on unsecure [http] version of your WordPress blog.
Enable HTTP Strict Transport Security (HSTS) on Nginx
# Enable HSTS on WordPress blog
add_header Strict-Transport-Security 'max-age=2592000; includeSubDomains; preload;' always;
Example of HTTP Strict Transport Security (HSTS)
Want to see HSTS in action?
Just type kunaldesai.blog in Google Chrome browser.
And you will see secure version of my WordPress blog.
Today you learned How To Enable HTTP Strict Transport Security (HSTS) in WordPress.
WordPress Consultant
If you want to enable HSTS on your site, contact me.
