Articles

How to Enable HTTP Strict Transport Security (HSTS)

HTTP Strict Transport Security (HSTS) is a security mechanism in which a website tells the browser that all future requests should be made over HTTPS. Using HSTS will force all future requests to the current domain name to use https:// URLs even if the user attempts to go to links using http:// URLs.

You can enable HSTS headers by adding the following in a .htaccess file in your app's web root directory (public):

# Using this header, any browser that accesses the site over HTTPS will not
# be able to access the plain HTTP site for one year (31536000 seconds).
# One you begin using this, you should not stop using SSL on your site or
# else your returning visitors will not be able to access your site at all.
Header always set Strict-Transport-Security "max-age=31536000" env=HTTPS
Once you enable HSTS, you are committed to SSL. You will not be able to go back to plain HTTP for your app.

If you want to force users to HTTPS, you will still need to redirect from HTTP to HTTPS.