Skip to content
ServerPilot

Enable HTTP Strict Transport Security (HSTS)

HTTP Strict Transport Security (HSTS) is a security mechanism in which a site tells a web browser that all future requests should be made over HTTPS. Once a browser receives an HSTS header in a response from a domain, future requests to the same domain will use https:// URLs even if the user attempted to visit pages using http:// URLs.

You can enable HSTS headers by adding the following in a .htaccess file in your app’s web root directory (public):

# Using this header, any browser that accesses the site over HTTPS will not
# be able to access the plain HTTP site for one year (31536000 seconds).
# Once you begin using this, you should not stop using SSL on your site or
# else your returning visitors will not be able to access your site at all.
Header always set Strict-Transport-Security "max-age=31536000" env=HTTPS