My immunity is strong.

How to Enable HTTP Strict Transport Security in WordPress

Learn How to Implement HTTP Strict Transport Security aka HSTS
Learn How to Implement HTTP Strict Transport Security aka HSTS

What is HTTP Strict Transport Security (HSTS)?

How to implement HSTS?

How to enable HSTS?

How to implement HTTP Strict Transport Security (HSTS) in Apache?

How to implement HTTP Strict Transport Security (HSTS) in Nginx?

How to enable HTTP Strict Transport Security (HSTS) using htaccess?

If you are looking for answers to above questions then you have come to the right place.

Congrats and pat you back.

You did an excellent job. Keep it up!

You are a wonderful human being.

Now lets get back to our article on HSTS.

What is HSTS?

HTTP Strict Transport Security (HSTS) is a response header which ensures that visitors through web browsers and user agents always connect to your site over HTTPS even if a protocol is not specified.

It is works like a 301 redirect, but at the browser level. This is what makes it very fast.

HSTS header tells the browser to connect the current domain only over HTTPS.

This makes HSTS far better than 301 redirects, which are unsecure during their first visit.

Which Browsers Support HSTS

Currently all web browsers support HSTS including but not limited to Brave, Microsoft Edge, Google Chrome, Mozilla Firefox, Apple Safari, and Opera.

HTTP Strict Transport Security (HSTS) Benefits

  • Helps prevent man-in-the-middle attacks and cookie hijacking.
  • Helps avoid mixed content issue.
  • Does not allow a user to override the invalid certificate warnings.
  • Can be preloaded via browsers by listing your domain with them.
  • To avoids insecure redirects from HTTP to HTTPS.
  • Also improves WordPress blog speed by eliminating a redirect.

Enable HTTP Strict Transport Security (HSTS) in htaccess

# Enable HSTS on WordPress blog
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS

The “max-age” flag specifies the time in seconds this policy is cached in the browser.

The “includeSubDomains” flag instructs browsers to apply this policy to all sub domains as well.

The “preload” flag indicates that the site wants to be added to the HSTS preload list.

“env=HTTPS” ensures that HSTS is only enabled on secure [https] version and not on unsecure [http] version of your WordPress blog.

Enable HTTP Strict Transport Security (HSTS) in Nginx

# Enable HSTS on WordPress blog
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload;' always;

Example of HTTP Strict Transport Security (HSTS)

Want to see HSTS in action?
Just type kunaldesai.blog in Google Chrome browser.
And you will see secure version of my WordPress blog.

Have you enabled HSTS on your site? If no, do it now.