Implement HSTS

Discover our Public Cloud offer

Shared Hosting for Everyone, imagined by developers, for developers.

Discovering the Public Cloud

The HTTP Strict Transport Security policy allows to protect users by declaring to their web browser that they must interact with the webserver using a secure connection.

It is implemented by adding headers.

Apache

  • Add it fo all Apache websites of the account via global directives (menu Web > Configuration > Apache):
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
  • Or for each website by adding at the start of a .htaccess created at the root of the websites:
<IfModule mod_headers.c>

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

</IfModule>

uWSGI

Add in uWSGI additional settings (menu Web > Site > Modify the [site] - ⚙️ > Advanced Settings):

plugins = router_redirect
route-if-not = equal:${HTTPS};on redirect-permanent:https://${HTTP_HOST}${REQUEST_URI}
route-if = equal:${HTTPS};on addheader:Strict-Transport-Security: max-age=31536000

Node.js

To put before any other controller:

app.use(function(req, res, next) {
  if (req.secure) {
    res.setHeader('Strict-Transport-Security', 'max-age=63072000; includeSubDomains') // 2 years
  }
  next()
})

Other method using the helmet NPM package:

var helmet = require('helmet')
    ... 
    app.use(helmet.hsts({
          maxAge: 31536000000,
          includeSubdomains: true,
          force: true
    }));

Directives

  • max-age defines the period of application of a given HSTS policy by browsers (31536000 = for one year),
  • includeSubDomains allows to apply HSTS to both domain and subdomains,
  • preload allows to add the site in the preloaded HSTS lists.

max-age is required unlike the other ones.